diff --git a/Exabeam/Snapshot-with-domain.json b/Exabeam/Snapshot-with-domain.json
index bdc34b6f..1e271d6e 100644
--- a/Exabeam/Snapshot-with-domain.json
+++ b/Exabeam/Snapshot-with-domain.json
@@ -1 +1 @@
-{"schema_version": "1.1.3", "type": "investigation", "search-txt": "domain:\"darnellw-official-win10.qa.code42.com\"", "actions": "[{\"arg\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"created\":\"2021-09-17T09:49:18.287Z\",\"id\":\"collect-e525936f\",\"result\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T09:49:18.501Z\",\"uuid\":\"05730f0b-9c26-48d8-b2bc-d2c1d77457ac\"},{\"arg\":{\"type\":\"domain\",\"value\":\"darnellw-official-win10.qa.code42.com\"},\"created\":\"2021-09-17T09:49:18.517Z\",\"id\":\"investigate-cfd01cb9\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"},\"judgement_id\":\"transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2024-09-13T09:49:18.897Z\",\"end_time\":\"2024-10-13T09:49:18.897Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2024-09-13T09:49:18.897Z\",\"end_time\":\"2024-10-13T09:49:18.897Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":5,\"reason\":\"Neutral Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=darnellw-official-win10.qa.code42.com\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156\",\"severity\":\"Low\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335653Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6b163d1438afbe087bb895d76ea393e7\\\",\\\"sha256Checksum\\\":\\\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.926Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ae30f7b4-650d-56a3-990a-333256499e3b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.926Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"2021-09-16T22:52:32.760Z\",14200,\"code42-exfil-share-datatype\",\"6b163d1438afbe087bb895d76ea393e7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.172Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336782Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Binder.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":24952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f97d210b3ede360f920e2b1d5b702d6b\\\",\\\"sha256Checksum\\\":\\\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2c21877d-e685-5034-ab53-29f1b1a2b738\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.172Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Binder.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"2021-09-16T22:52:32.763Z\",24952,\"code42-exfil-share-datatype\",\"f97d210b3ede360f920e2b1d5b702d6b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.172Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:31.153Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337748Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"msoimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11529088,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3f7fb1d32a7be58e65dc615a9553e183\\\",\\\"sha256Checksum\\\":\\\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:53.564Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-12314f44-1778-5595-ad19-9d3d7cfc50fe\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:31.153Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msoimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:53.564Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"2021-09-16T22:52:32.766Z\",11529088,\"code42-exfil-share-datatype\",\"3f7fb1d32a7be58e65dc615a9553e183\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:31.153Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336563Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"AutoMapper.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":286720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff3c3d84a000d57ef7d443f594d407ec\\\",\\\"sha256Checksum\\\":\\\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\\\",\\\"createTimestamp\\\":\\\"2021-06-17T09:48:12.583Z\\\",\\\"modifyTimestamp\\\":\\\"2021-06-17T09:48:17.915Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d912d326-0b65-5278-97f3-daacc2394c00\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"AutoMapper.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-06-17T09:48:17.915Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"2021-09-16T22:52:32.759Z\",286720,\"code42-exfil-share-datatype\",\"ff3c3d84a000d57ef7d443f594d407ec\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-06-17T09:48:12.583Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.102Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335997Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":31744,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"88d5e6253dcb376fb076c87713b3628e\\\",\\\"sha256Checksum\\\":\\\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.614Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.054Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6b66f85d-68f8-5d9c-9c2a-b64a13f332bc\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.102Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.054Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"2021-09-16T22:52:32.766Z\",31744,\"code42-exfil-share-datatype\",\"88d5e6253dcb376fb076c87713b3628e\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.102Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.614Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.292Z 804e3b095828 Skyformation - 7352347330459896280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Telemetry.dll fsize=528248 msg=Resource [Resource: file :: Telemetry.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Telemetry.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.528Z ext_md5Checksum=eb3af15f534b067d98dac6a346728096 ext_sharedWith=[] ext_sha256Checksum=51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=528248 ext_insertionTimestamp=2021-09-16T22:51:22.314633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.519Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314633Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Telemetry.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":528248,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"eb3af15f534b067d98dac6a346728096\\\",\\\"sha256Checksum\\\":\\\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:16.519Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:16.528Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2ab229de-8984-5eac-9af7-ee322bfd976e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Telemetry.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:16.528Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\",\"2021-09-16T22:52:32.758Z\",528248,\"code42-exfil-share-datatype\",\"eb3af15f534b067d98dac6a346728096\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.292Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:16.519Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.123Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337678Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"igxim.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4910872,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d19ae43d04b6c5c4b5f3fcc081b9e602\\\",\\\"sha256Checksum\\\":\\\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e9e5d067-489a-514d-9f2a-08e47f979775\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:28.123Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"igxim.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"2021-09-16T22:52:32.759Z\",4910872,\"code42-exfil-share-datatype\",\"d19ae43d04b6c5c4b5f3fcc081b9e602\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.123Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.136Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336703Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"987db26b17dc24d5b7dec25db1c103c2\\\",\\\"sha256Checksum\\\":\\\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.839Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d50e681f-cbb7-5757-b591-ef459f2fee04\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.136Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.839Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"2021-09-16T22:52:32.759Z\",18296,\"code42-exfil-share-datatype\",\"987db26b17dc24d5b7dec25db1c103c2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.136Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.196Z 804e3b095828 Skyformation - 5829787252207277270 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499196 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.196Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.222Z ext_md5Checksum=0e8e10650f39cb0b09ba8c47f840530f ext_sharedWith=[] ext_sha256Checksum=f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.334964Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.196Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334964Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0e8e10650f39cb0b09ba8c47f840530f\\\",\\\"sha256Checksum\\\":\\\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.190Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.222Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-279e346e-a172-5393-bce2-3384bb0b5eff\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.196Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.222Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\",\"2021-09-16T22:52:32.755Z\",14224,\"code42-exfil-share-datatype\",\"0e8e10650f39cb0b09ba8c47f840530f\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.196Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.190Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.331Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337467Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"Office.UI.Xaml.Core.winmd\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":20280,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d16aec0e28a5f509a04722edf62e01eb\\\",\\\"sha256Checksum\\\":\\\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:54.439Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fe18df90-42e5-5d27-991a-1674d0d8c19a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.331Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Office.UI.Xaml.Core.winmd\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:54.439Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"2021-09-16T22:52:32.764Z\",20280,\"code42-exfil-share-datatype\",\"d16aec0e28a5f509a04722edf62e01eb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.331Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.300Z 804e3b095828 Skyformation - 5713470709720643753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520300 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UpdateRingSettings.dll fsize=500600 msg=Resource [Resource: file :: UpdateRingSettings.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.300Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UpdateRingSettings.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.589Z ext_md5Checksum=8670927c143a1e54c0e7d9e7a56159b1 ext_sharedWith=[] ext_sha256Checksum=83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=500600 ext_insertionTimestamp=2021-09-16T22:51:22.314645Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.300Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314645Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"UpdateRingSettings.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":500600,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"8670927c143a1e54c0e7d9e7a56159b1\\\",\\\"sha256Checksum\\\":\\\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:16.583Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:16.589Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-16d48bab-8124-5e36-b3e0-42349bf00cc4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.300Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UpdateRingSettings.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:16.589Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\",\"2021-09-16T22:52:32.756Z\",500600,\"code42-exfil-share-datatype\",\"8670927c143a1e54c0e7d9e7a56159b1\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.300Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:16.583Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:39.350Z 804e3b095828 Skyformation - 8180994352798970218 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncConfig.exe fsize=635768 msg=Resource [Resource: file :: FileSyncConfig.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncConfig.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.389Z ext_md5Checksum=23843c09217f08eef3def81b6e92e645 ext_sharedWith=[] ext_sha256Checksum=282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=635768 ext_insertionTimestamp=2021-09-16T22:51:15.337907Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.374Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:39.350Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337907Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSyncConfig.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":635768,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"23843c09217f08eef3def81b6e92e645\\\",\\\"sha256Checksum\\\":\\\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:12.374Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:12.389Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d415923a-bee3-570e-b61e-3d5b35de5969\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:39.350Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSyncConfig.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:12.389Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\",\"2021-09-16T22:52:32.756Z\",635768,\"code42-exfil-share-datatype\",\"23843c09217f08eef3def81b6e92e645\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:39.350Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:12.374Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.194Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336844Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Options.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":50552,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"89c3d573e8b2e5a71850a69f14fff1a5\\\",\\\"sha256Checksum\\\":\\\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5dfd09b1-1bb7-5ed5-8f2d-610478d2f8fa\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.194Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Options.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"2021-09-16T22:52:32.763Z\",50552,\"code42-exfil-share-datatype\",\"89c3d573e8b2e5a71850a69f14fff1a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.194Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.316Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336422Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":36240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e2dd338ceac0daebdfdf99d72e40fd80\\\",\\\"sha256Checksum\\\":\\\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.349Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7a401f3c-d0bf-5d2f-a8fd-832c43bf3a28\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.316Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.349Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"2021-09-16T22:52:32.761Z\",36240,\"code42-exfil-share-datatype\",\"e2dd338ceac0daebdfdf99d72e40fd80\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.316Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.309Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337398Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxOutlook.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1439232,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"845c649d20d35fc78fbab0c0d9ec5ec6\\\",\\\"sha256Checksum\\\":\\\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.168Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4e24a545-12b5-5f9d-b26a-bb7e332d690d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.309Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxOutlook.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.168Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"2021-09-16T22:52:32.761Z\",1439232,\"code42-exfil-share-datatype\",\"845c649d20d35fc78fbab0c0d9ec5ec6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.309Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:39.345Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337890Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSync.Resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2382208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"3c69d0029f27ff52a1b4d3f70fef0d2b\\\",\\\"sha256Checksum\\\":\\\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:12.114Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:12.146Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3b61846d-7e29-5db8-b9ac-8f09a942b29c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:39.345Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSync.Resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:12.146Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"2021-09-16T22:52:32.760Z\",2382208,\"code42-exfil-share-datatype\",\"3c69d0029f27ff52a1b4d3f70fef0d2b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:39.345Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:12.114Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.322Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335199Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"WindowsFormsIntegration.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\\\",\\\"sha256Checksum\\\":\\\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.379Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-48da0a98-8bf3-5368-898a-38df3042e727\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.322Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsFormsIntegration.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.379Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"2021-09-16T22:52:32.766Z\",14736,\"code42-exfil-share-datatype\",\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.322Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336139Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f96e04ea6cbce1560b83bff7a42f29b0\\\",\\\"sha256Checksum\\\":\\\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a19de0e9-b0a6-5af1-b5fd-d33b5ca62e22\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"2021-09-16T22:52:32.763Z\",14224,\"code42-exfil-share-datatype\",\"f96e04ea6cbce1560b83bff7a42f29b0\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337186Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"YourPhoneServer.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47104,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"640c3b31c496531dacc0a8fb830fd457\\\",\\\"sha256Checksum\\\":\\\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.653Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.484Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0fff593c-89eb-5aa2-84bb-cb724b886696\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneServer.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.484Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"2021-09-16T22:52:32.765Z\",47104,\"code42-exfil-share-datatype\",\"640c3b31c496531dacc0a8fb830fd457\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.653Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.184Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337194Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"libnanoapimanaged.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7197696,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff0f788645e78335908728321c10454b\\\",\\\"sha256Checksum\\\":\\\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.638Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.359Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3dc7244c-e1bd-5b60-bdb4-2cb874a6fd43\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.184Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"libnanoapimanaged.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.359Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"2021-09-16T22:52:32.759Z\",7197696,\"code42-exfil-share-datatype\",\"ff0f788645e78335908728321c10454b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.184Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.638Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315122Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-string-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f340a17ac423c71767d66973f69d05c8\\\",\\\"sha256Checksum\\\":\\\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.882Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.883Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d693bd9e-8d43-50df-a4ca-e6e50cf7b354\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-string-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.883Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"2021-09-16T22:52:32.761Z\",18296,\"code42-exfil-share-datatype\",\"f340a17ac423c71767d66973f69d05c8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.882Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.089Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336572Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Castle.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":442368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2fba45e50a9fb187e9873416bc6b4400\\\",\\\"sha256Checksum\\\":\\\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.137Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:05.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fdc9d09f-3af0-54ae-a39c-63221dc894ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.089Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Castle.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:05.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"2021-09-16T22:52:32.760Z\",442368,\"code42-exfil-share-datatype\",\"2fba45e50a9fb187e9873416bc6b4400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.089Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.137Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.100Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337625Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\\\",\\\"fileName\\\":\\\"msointlimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":377184,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"99d060c13d92442ea518ad6c13305532\\\",\\\"sha256Checksum\\\":\\\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.887Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:50.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-534dea1b-0dc4-5ca4-8133-5b7d820baf25\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:28.100Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msointlimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:50.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"2021-09-16T22:52:32.765Z\",377184,\"code42-exfil-share-datatype\",\"99d060c13d92442ea518ad6c13305532\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.100Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.887Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:31.175Z 804e3b095828 Skyformation - 937782685410137034 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511175 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=saext.dll fsize=559480 msg=Resource [Resource: file :: saext.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.175Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=saext.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.174Z ext_md5Checksum=4a0f85409681a359adbbda4104daa7fb ext_sharedWith=[] ext_sha256Checksum=046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=559480 ext_insertionTimestamp=2021-09-16T22:51:15.337820Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:31.175Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337820Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"saext.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":559480,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4a0f85409681a359adbbda4104daa7fb\\\",\\\"sha256Checksum\\\":\\\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:55.174Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2113c1b0-3556-58e7-a54a-1004516f2597\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:31.175Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"saext.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:55.174Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\",\"2021-09-16T22:52:32.758Z\",559480,\"code42-exfil-share-datatype\",\"4a0f85409681a359adbbda4104daa7fb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:31.175Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.241Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335618Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d1b7ec7c3a95ec1e84117bfef59f1ab6\\\",\\\"sha256Checksum\\\":\\\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.863Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d03cc6e3-0d73-5ec3-902a-28c04f19e570\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.241Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.863Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"2021-09-16T22:52:32.765Z\",15240,\"code42-exfil-share-datatype\",\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.241Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.325Z 804e3b095828 Skyformation - 5312164448627929884 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499325 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=3584 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.325Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.728Z ext_md5Checksum=c62d73c8ea0d55db08cceec7afc7e3cc ext_sharedWith=[] ext_sha256Checksum=2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3584 ext_insertionTimestamp=2021-09-16T22:51:15.335208Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.577Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.325Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335208Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":3584,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c62d73c8ea0d55db08cceec7afc7e3cc\\\",\\\"sha256Checksum\\\":\\\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.577Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.728Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cf841002-dfb0-5c90-9fb1-281afd8d004d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.325Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.728Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\",\"2021-09-16T22:52:32.756Z\",3584,\"code42-exfil-share-datatype\",\"c62d73c8ea0d55db08cceec7afc7e3cc\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.325Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.577Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.132Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334824Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b81fa8bc88192c7febd2479638aea569\\\",\\\"sha256Checksum\\\":\\\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.158Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.113Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6b44195a-efec-59e6-90b2-a72c680eb96b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.132Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.113Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"b81fa8bc88192c7febd2479638aea569\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.132Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.158Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.411Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314807Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-libraryloader-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"94d4e2bb8654b77c41cd35574e3f0299\\\",\\\"sha256Checksum\\\":\\\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.401Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.402Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-44a1a814-a037-5649-ace1-3f3276228e78\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.411Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.402Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"2021-09-16T22:52:32.762Z\",12664,\"code42-exfil-share-datatype\",\"94d4e2bb8654b77c41cd35574e3f0299\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.411Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.401Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.098Z 804e3b095828 Skyformation - 7444223728288167550 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508098 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointl30_winrt.dll fsize=86384 msg=Resource [Resource: file :: msointl30_winrt.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.098Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointl30_winrt.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.683Z ext_md5Checksum=18ad415ef30924748d83afeeee4d9cb0 ext_sharedWith=[] ext_sha256Checksum=e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=86384 ext_insertionTimestamp=2021-09-16T22:51:15.337616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.098Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337616Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\\\",\\\"fileName\\\":\\\"msointl30_winrt.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":86384,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"18ad415ef30924748d83afeeee4d9cb0\\\",\\\"sha256Checksum\\\":\\\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.887Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:50.683Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7e4dc97b-2030-545d-a650-c48fd51597ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:28.098Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msointl30_winrt.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:50.683Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\",\"2021-09-16T22:52:32.758Z\",86384,\"code42-exfil-share-datatype\",\"18ad415ef30924748d83afeeee4d9cb0\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.098Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.887Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.268Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334477Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45448,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c9ea75b02fd1d01f87d8ca868c1ec833\\\",\\\"sha256Checksum\\\":\\\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.111Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:47.879Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-536ae9c9-aa2b-556e-92fa-d090d49269b6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:18.268Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:47.879Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"2021-09-16T22:52:32.759Z\",45448,\"code42-exfil-share-datatype\",\"c9ea75b02fd1d01f87d8ca868c1ec833\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.268Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.111Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.105Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336624Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"DotNetty.Transport.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":254464,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4a67dcf64aab4980b9bd9fb623cc7242\\\",\\\"sha256Checksum\\\":\\\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.044Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-37290152-c41e-56db-908e-bd32da2df133\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.105Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"DotNetty.Transport.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.044Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"2021-09-16T22:52:32.765Z\",254464,\"code42-exfil-share-datatype\",\"4a67dcf64aab4980b9bd9fb623cc7242\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.105Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.250Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336984Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Collections.Immutable.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":302216,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d8203aedaabeac1e606cd0e2af397d01\\\",\\\"sha256Checksum\\\":\\\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.294Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-dfab61df-0096-5423-8a0c-b2c4dc5b8b98\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.250Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Collections.Immutable.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.294Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"2021-09-16T22:52:32.760Z\",302216,\"code42-exfil-share-datatype\",\"d8203aedaabeac1e606cd0e2af397d01\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.250Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.303Z 804e3b095828 Skyformation - 2504656101616966541 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WebView2Loader.dll fsize=136576 msg=Resource [Resource: file :: WebView2Loader.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WebView2Loader.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.620Z ext_md5Checksum=82c2b3a8e75ab4fc6cc1360ea2c663e3 ext_sharedWith=[] ext_sha256Checksum=d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=136576 ext_insertionTimestamp=2021-09-16T22:51:22.314656Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.303Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314656Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"WebView2Loader.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":136576,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"82c2b3a8e75ab4fc6cc1360ea2c663e3\\\",\\\"sha256Checksum\\\":\\\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:16.618Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:16.620Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-02622f5a-4fce-56fe-901b-863245b815d6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.303Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WebView2Loader.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:16.620Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\",\"2021-09-16T22:52:32.755Z\",136576,\"code42-exfil-share-datatype\",\"82c2b3a8e75ab4fc6cc1360ea2c663e3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.303Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:16.618Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.201Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314355Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.WebSocketClient.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1103208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"e93c70df0faa580e8272c9c833238352\\\",\\\"sha256Checksum\\\":\\\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.457Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.468Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5da6e225-f60e-5faa-9c7e-9550e0df63ac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.201Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.WebSocketClient.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.468Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"2021-09-16T22:52:32.763Z\",1103208,\"code42-exfil-share-datatype\",\"e93c70df0faa580e8272c9c833238352\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.201Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.457Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.219Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336922Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Newtonsoft.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":653824,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f33cbe589b769956284868104686cc2d\\\",\\\"sha256Checksum\\\":\\\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.618Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.588Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fe8ae781-02a0-5307-abd5-6384db4d2597\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.219Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Newtonsoft.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.588Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"2021-09-16T22:52:32.761Z\",653824,\"code42-exfil-share-datatype\",\"f33cbe589b769956284868104686cc2d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.219Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.618Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.168Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336774Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Abstractions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":21368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1c8f3a5d41fd162943613952097db8b\\\",\\\"sha256Checksum\\\":\\\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7eaa3a3c-8d7d-5542-ba3c-9a16e57c793b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.168Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"2021-09-16T22:52:32.765Z\",21368,\"code42-exfil-share-datatype\",\"e1c8f3a5d41fd162943613952097db8b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.168Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.234Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314470Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5Gui.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6671232,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f53d5cd7837e933cf4cc8c07a1a88350\\\",\\\"sha256Checksum\\\":\\\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.375Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.450Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-017b269d-f20a-556e-98ca-8882048439ca\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.234Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5Gui.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.450Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"2021-09-16T22:52:32.762Z\",6671232,\"code42-exfil-share-datatype\",\"f53d5cd7837e933cf4cc8c07a1a88350\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.234Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.375Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.279Z 804e3b095828 Skyformation - 1930420880376628781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507279 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.Ipc.Proxies.dll fsize=15872 msg=Resource [Resource: file :: HxComm.Ipc.Proxies.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.279Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.Ipc.Proxies.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.074Z ext_md5Checksum=cf6b921615692c64ac828dd7a37dd753 ext_sharedWith=[] ext_sha256Checksum=a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15872 ext_insertionTimestamp=2021-09-16T22:51:15.337336Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.279Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337336Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxComm.Ipc.Proxies.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15872,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"cf6b921615692c64ac828dd7a37dd753\\\",\\\"sha256Checksum\\\":\\\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.074Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a7581d2d-5489-5d5e-90a1-c3053d0c9faf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.279Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxComm.Ipc.Proxies.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.074Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\",\"2021-09-16T22:52:32.758Z\",15872,\"code42-exfil-share-datatype\",\"cf6b921615692c64ac828dd7a37dd753\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.279Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.409Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314795Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-interlocked-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11640,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"72413f1254d09348dab76ee4e5e2e300\\\",\\\"sha256Checksum\\\":\\\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.394Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.395Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-dfa102a1-c14f-54fa-a264-167f1cca11d6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.409Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-interlocked-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.395Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"2021-09-16T22:52:32.767Z\",11640,\"code42-exfil-share-datatype\",\"72413f1254d09348dab76ee4e5e2e300\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.409Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.394Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.124Z 804e3b095828 Skyformation - 4266986604087729995 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500124 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.124Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.960Z ext_md5Checksum=303d4e1e6736b01a0e0d418c543c1346 ext_sharedWith=[] ext_sha256Checksum=4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335373Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.124Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335373Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20992,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"303d4e1e6736b01a0e0d418c543c1346\\\",\\\"sha256Checksum\\\":\\\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.591Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.960Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3f6c10e2-6344-52d5-8291-7e3610ff01c3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.124Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.960Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\",\"2021-09-16T22:52:32.757Z\",20992,\"code42-exfil-share-datatype\",\"303d4e1e6736b01a0e0d418c543c1346\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.124Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.591Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.229Z 804e3b095828 Skyformation - 7367432510121182400 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520229 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Core.dll fsize=5929344 msg=Resource [Resource: file :: Qt5Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.229Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.180Z ext_md5Checksum=0629615fa66f3c3d4f16741c7fc04807 ext_sharedWith=[] ext_sha256Checksum=5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5929344 ext_insertionTimestamp=2021-09-16T22:51:22.314447Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.121Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.229Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314447Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":5929344,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"0629615fa66f3c3d4f16741c7fc04807\\\",\\\"sha256Checksum\\\":\\\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.121Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.180Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-66babe0b-6e97-52f2-964c-23812722ada2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.229Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.180Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\",\"2021-09-16T22:52:32.756Z\",5929344,\"code42-exfil-share-datatype\",\"0629615fa66f3c3d4f16741c7fc04807\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.229Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.121Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.246Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336975Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Buffers.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20856,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ecdfe8ede869d2ccc6bf99981ea96400\\\",\\\"sha256Checksum\\\":\\\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.607Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6952810f-046c-5949-8e5d-34f48532431a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.246Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Buffers.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.607Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"2021-09-16T22:52:32.759Z\",20856,\"code42-exfil-share-datatype\",\"ecdfe8ede869d2ccc6bf99981ea96400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.246Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.139Z 804e3b095828 Skyformation - 675604398557112437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502139 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Common.dll fsize=37240 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Common.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.139Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Common.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=405c72ee27026791aae1d61e63941509 ext_sharedWith=[] ext_sha256Checksum=838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37240 ext_insertionTimestamp=2021-09-16T22:51:15.336712Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.139Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336712Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Common.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":37240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"405c72ee27026791aae1d61e63941509\\\",\\\"sha256Checksum\\\":\\\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.839Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f86a975c-9f26-5e51-802f-84c2af9a6932\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.139Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Common.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.839Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\",\"2021-09-16T22:52:32.756Z\",37240,\"code42-exfil-share-datatype\",\"405c72ee27026791aae1d61e63941509\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.139Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.231Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314459Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5DBus.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":437624,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"d10cb4ac9a26d6350f1079399351e9d3\\\",\\\"sha256Checksum\\\":\\\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.238Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.354Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-51e040bc-c210-5e54-ab78-5a8a0241c9ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.231Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5DBus.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.354Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"2021-09-16T22:52:32.760Z\",437624,\"code42-exfil-share-datatype\",\"d10cb4ac9a26d6350f1079399351e9d3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.231Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.238Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335338Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"mscorrc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":13176,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"fc24926593d08479a7ed2bdaff458d20\\\",\\\"sha256Checksum\\\":\\\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.252Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.613Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bb64de71-ae43-53b8-99b8-1d60d6a1fce9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"mscorrc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.613Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"2021-09-16T22:52:32.759Z\",13176,\"code42-exfil-share-datatype\",\"fc24926593d08479a7ed2bdaff458d20\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.252Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337345Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxComm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":22965248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3bf2cfa3eeecd650c9564a2b6543b398\\\",\\\"sha256Checksum\\\":\\\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:51.480Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-59a10cc7-a14c-5876-9451-e86731e2b5a1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxComm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:51.480Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"2021-09-16T22:52:32.760Z\",22965248,\"code42-exfil-share-datatype\",\"3bf2cfa3eeecd650c9564a2b6543b398\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.163Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335444Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b5cb4e7532586d8ec2a144fe895ef55d\\\",\\\"sha256Checksum\\\":\\\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.330Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.707Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1d401e9a-2cb1-5def-a24d-24a9b8b5ac8b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.163Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.707Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"2021-09-16T22:52:32.765Z\",17272,\"code42-exfil-share-datatype\",\"b5cb4e7532586d8ec2a144fe895ef55d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.163Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.330Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.303Z 804e3b095828 Skyformation - 808043852961842895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=256912 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.082Z ext_md5Checksum=dc8ca3ec6a99318b649dc686002e72d4 ext_sharedWith=[] ext_sha256Checksum=75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=256912 ext_insertionTimestamp=2021-09-16T22:51:15.335757Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.303Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335757Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"PresentationFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":256912,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"dc8ca3ec6a99318b649dc686002e72d4\\\",\\\"sha256Checksum\\\":\\\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.377Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.082Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-affd0ffb-ec18-572a-a4fd-d077df9f8e38\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.303Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.082Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\",\"2021-09-16T22:52:32.757Z\",256912,\"code42-exfil-share-datatype\",\"dc8ca3ec6a99318b649dc686002e72d4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.303Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.377Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335722Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\\\",\\\"sha256Checksum\\\":\\\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.598Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.987Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c63c47b6-7c5e-566e-aa43-5f12c76a8510\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.987Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"2021-09-16T22:52:32.761Z\",26112,\"code42-exfil-share-datatype\",\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.598Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.125Z 804e3b095828 Skyformation - 6459940454527848135 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501125 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=37264 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.125Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=0d48b65e82aff3b5d117729868cf0319 ext_sharedWith=[] ext_sha256Checksum=1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37264 ext_insertionTimestamp=2021-09-16T22:51:15.336060Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.125Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336060Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":37264,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0d48b65e82aff3b5d117729868cf0319\\\",\\\"sha256Checksum\\\":\\\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.755Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-68df9315-560d-5c70-8845-a14a097e8135\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.125Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.755Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\",\"2021-09-16T22:52:32.757Z\",37264,\"code42-exfil-share-datatype\",\"0d48b65e82aff3b5d117729868cf0319\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.125Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:30.321Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337686Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"inktotextengineimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":346480,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3579a936952da7532c4358700bed43a3\\\",\\\"sha256Checksum\\\":\\\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.674Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8fc99d0b-10ae-5866-bcf6-596487b75f28\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:30.321Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"inktotextengineimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.674Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"2021-09-16T22:52:32.762Z\",346480,\"code42-exfil-share-datatype\",\"3579a936952da7532c4358700bed43a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:30.321Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.391Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314714Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-debug-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"5c7fa0b68872c2d1d3f10601e3af2341\\\",\\\"sha256Checksum\\\":\\\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.181Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.185Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-df11e4bd-5223-5ba3-998c-63e5b6a7404f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.391Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-debug-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.185Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"2021-09-16T22:52:32.758Z\",11648,\"code42-exfil-share-datatype\",\"5c7fa0b68872c2d1d3f10601e3af2341\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.391Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.181Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.245Z 804e3b095828 Skyformation - 9011587025266222990 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500245 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xaml.resources.dll fsize=64400 msg=Resource [Resource: file :: System.Xaml.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.245Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Xaml.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.879Z ext_md5Checksum=79f7a9435ff548517a7219880789cca3 ext_sharedWith=[] ext_sha256Checksum=030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=64400 ext_insertionTimestamp=2021-09-16T22:51:15.335626Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.245Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335626Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"System.Xaml.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":64400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"79f7a9435ff548517a7219880789cca3\\\",\\\"sha256Checksum\\\":\\\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.879Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-21427167-a3b0-5f52-8702-af47599ee1bb\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.245Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xaml.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.879Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\",\"2021-09-16T22:52:32.758Z\",64400,\"code42-exfil-share-datatype\",\"79f7a9435ff548517a7219880789cca3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.245Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337045Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Encodings.Web.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":59768,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2e2490a823b4a3d290a98d0371d199ed\\\",\\\"sha256Checksum\\\":\\\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-098fcb07-3723-5a0e-8225-82803059eaf5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Encodings.Web.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"2021-09-16T22:52:32.766Z\",59768,\"code42-exfil-share-datatype\",\"2e2490a823b4a3d290a98d0371d199ed\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.216Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337256Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"libnanoapi.lib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":1570,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"bb41b302cf1325c4f459616da8e605a2\\\",\\\"sha256Checksum\\\":\\\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.468Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:30.262Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-archive\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-326df068-94c9-5e34-81e0-c9ea9531369e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.216Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libnanoapi.lib\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:30.262Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"2021-09-16T22:52:32.763Z\",1570,\"code42-exfil-share-datatype\",\"bb41b302cf1325c4f459616da8e605a2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"Archive\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.216Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.468Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314702Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-datetime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"98cfeaa96192d5dccc4a1852f6754fd5\\\",\\\"sha256Checksum\\\":\\\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.142Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.155Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-821e586f-78f1-5c4b-a330-7c3a4a90e160\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-datetime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.155Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"2021-09-16T22:52:32.762Z\",11648,\"code42-exfil-share-datatype\",\"98cfeaa96192d5dccc4a1852f6754fd5\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.388Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.142Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.278Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336341Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"UIAutomationClient.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18320,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e55e4041d9e6f6bf0d3738a25255913\\\",\\\"sha256Checksum\\\":\\\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.271Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7b553448-cac0-598c-9207-98392e4a6815\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.278Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationClient.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.271Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"2021-09-16T22:52:32.762Z\",18320,\"code42-exfil-share-datatype\",\"5e55e4041d9e6f6bf0d3738a25255913\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.278Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.060Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335277Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1ac89288b8009c9a0fb138fb9d67b150\\\",\\\"sha256Checksum\\\":\\\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.586Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.943Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1817976c-22c7-5ba2-a2ec-9f106a5188a4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.060Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.943Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"2021-09-16T22:52:32.763Z\",30720,\"code42-exfil-share-datatype\",\"1ac89288b8009c9a0fb138fb9d67b150\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.060Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.586Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336218Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"vcruntime140_cor3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":97160,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"18049f6811fc0f94547189a9e104f5d2\\\",\\\"sha256Checksum\\\":\\\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.611Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.958Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5fc598ee-3323-5bd8-b51e-6aa2487ff75f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"vcruntime140_cor3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.958Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"2021-09-16T22:52:32.762Z\",97160,\"code42-exfil-share-datatype\",\"18049f6811fc0f94547189a9e104f5d2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.611Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335127Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":355192,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47613e3bfa408b3299c04d0df45433ba\\\",\\\"sha256Checksum\\\":\\\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.301Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ddd7dd6e-c60a-5d7c-a1c3-0df72e003f42\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.301Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"2021-09-16T22:52:32.763Z\",355192,\"code42-exfil-share-datatype\",\"47613e3bfa408b3299c04d0df45433ba\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.292Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.204Z 804e3b095828 Skyformation - 6039121869236992200 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.dll fsize=8971112 msg=Resource [Resource: file :: Microsoft.SharePoint.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.091Z ext_md5Checksum=aa47b460aedf810bc504ff9cea7b4b71 ext_sharedWith=[] ext_sha256Checksum=c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8971112 ext_insertionTimestamp=2021-09-16T22:51:22.314366Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.994Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.204Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314366Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":8971112,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"aa47b460aedf810bc504ff9cea7b4b71\\\",\\\"sha256Checksum\\\":\\\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.994Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.091Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b2501b6d-6041-5a59-b80b-711a0c3b8cd0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.204Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.091Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\",\"2021-09-16T22:52:32.758Z\",8971112,\"code42-exfil-share-datatype\",\"aa47b460aedf810bc504ff9cea7b4b71\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.204Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.994Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:46.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315412Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\\\",\\\"fileName\\\":\\\"qtquickextrasplugin.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":80256,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"68118cdf04def6c50804a705773bbd9b\\\",\\\"sha256Checksum\\\":\\\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:21.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:21.223Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5083602b-a06b-5d24-af8f-2bfe63c17e91\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:46.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"qtquickextrasplugin.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:21.223Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"2021-09-16T22:52:32.765Z\",80256,\"code42-exfil-share-datatype\",\"68118cdf04def6c50804a705773bbd9b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:46.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:21.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.207Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314378Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":729448,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"4bb5499613eca0fe0670a3cab2d5318e\\\",\\\"sha256Checksum\\\":\\\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.205Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.217Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4705bfeb-5768-5df8-b473-f0f8d7e7e6fa\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.207Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.217Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"2021-09-16T22:52:32.764Z\",729448,\"code42-exfil-share-datatype\",\"4bb5499613eca0fe0670a3cab2d5318e\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.207Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.205Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.146Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335417Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"PresentationFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":208784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"beeb465b9ab84dbb8f78f866924d49fe\\\",\\\"sha256Checksum\\\":\\\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.315Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.676Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a2446362-b761-59ca-b266-481be937f20d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.146Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.676Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"2021-09-16T22:52:32.766Z\",208784,\"code42-exfil-share-datatype\",\"beeb465b9ab84dbb8f78f866924d49fe\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.146Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.315Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.076Z 804e3b095828 Skyformation - 147196130964191603 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501076 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.076Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.014Z ext_md5Checksum=081d17a68c2295a810e0b139bfa4e114 ext_sharedWith=[] ext_sha256Checksum=99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335934Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.605Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.076Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335934Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20992,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"081d17a68c2295a810e0b139bfa4e114\\\",\\\"sha256Checksum\\\":\\\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.605Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.014Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-44b73b40-4221-578b-9eae-d3810396510a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.076Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.014Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\",\"2021-09-16T22:52:32.756Z\",20992,\"code42-exfil-share-datatype\",\"081d17a68c2295a810e0b139bfa4e114\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.076Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.605Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.350Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337538Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"TextEntityExtractorProxy.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":638976,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f8af1754c0bdb86deb1f68930784d580\\\",\\\"sha256Checksum\\\":\\\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:55.205Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-136baa2d-5aea-5b0a-9418-0a52aa609308\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.350Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"TextEntityExtractorProxy.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:55.205Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"2021-09-16T22:52:32.767Z\",638976,\"code42-exfil-share-datatype\",\"f8af1754c0bdb86deb1f68930784d580\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.350Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.090Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335347Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":19968,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b2f71614b51575b117cfa4356d851423\\\",\\\"sha256Checksum\\\":\\\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.589Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.950Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5dc47da6-f678-5f91-974b-61b966157a34\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.090Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.950Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"2021-09-16T22:52:32.761Z\",19968,\"code42-exfil-share-datatype\",\"b2f71614b51575b117cfa4356d851423\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.090Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.589Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:47:48.222Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:50.885010Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/\\\",\\\"fileName\\\":\\\"sshd.pid\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":6,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"4ae3b17c6481c84809152f331f7d783c\\\",\\\"sha256Checksum\\\":\\\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\\\",\\\"createTimestamp\\\":\\\"2021-03-17T09:49:37.832Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T09:39:11.904Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-89f62135-5d10-5c8b-b5fa-817a2c27a8aa\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:47:48.222Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"sshd.pid\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T09:39:11.904Z\",\"application/octet-stream\",\"MODIFIED\",\"162.222.47.183\",\"darnell.waters\",\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"2021-09-16T22:58:29.756Z\",6,\"code42-exfil-share-datatype\",\"4ae3b17c6481c84809152f331f7d783c\",57848,\"false\",\"TRUE\",\"C:/\",\"Document\",\"Administrators\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:47:48.222Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-03-17T09:49:37.832Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314982Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-conio-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c61e3c9099cc2b143cc93bf26ac01d34\\\",\\\"sha256Checksum\\\":\\\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ea331943-231d-59ae-b045-bf2899370e95\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-conio-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.790Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"2021-09-16T22:52:32.763Z\",12664,\"code42-exfil-share-datatype\",\"c61e3c9099cc2b143cc93bf26ac01d34\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.790Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.134Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336077Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.Design.Editors.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":78200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3feb5a138ff178c1dd47a8a99f394517\\\",\\\"sha256Checksum\\\":\\\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.771Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-38500b3c-d09a-5933-9f12-8ce1bcf80dc7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.134Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.Design.Editors.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.771Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"2021-09-16T22:52:32.759Z\",78200,\"code42-exfil-share-datatype\",\"3feb5a138ff178c1dd47a8a99f394517\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.134Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.160Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336148Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"077bb8ca6a783006aacb63d08317c339\\\",\\\"sha256Checksum\\\":\\\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61471_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fedbe573-b72a-5077-ba5e-941b4ee49a84\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.160Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"2021-09-16T22:52:32.764Z\",17272,\"code42-exfil-share-datatype\",\"077bb8ca6a783006aacb63d08317c339\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.160Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.284Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337354Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxCommModel.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4250624,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1d0bcfa0671f607ba8e3ab53f893e8bb\\\",\\\"sha256Checksum\\\":\\\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.137Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-19161eab-42bb-5946-8a45-838595016d88\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.284Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxCommModel.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.137Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"2021-09-16T22:52:32.763Z\",4250624,\"code42-exfil-share-datatype\",\"1d0bcfa0671f607ba8e3ab53f893e8bb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.284Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.166Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Caching.Memory.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":32120,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"9e7c8d18c1128488df0dea96a6b5be3c\\\",\\\"sha256Checksum\\\":\\\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.247Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-428b7375-7e1c-5850-8200-06507b5b34a0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.166Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Caching.Memory.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.247Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"2021-09-16T22:52:32.764Z\",32120,\"code42-exfil-share-datatype\",\"9e7c8d18c1128488df0dea96a6b5be3c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.166Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.128Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337977Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSyncTelemetryExtensions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":71544,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"faaf9d982dbaa8ab547098f1fb6abc81\\\",\\\"sha256Checksum\\\":\\\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.402Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.405Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-91f9087e-ab21-5688-acba-fb1eb85ba5b8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.128Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSyncTelemetryExtensions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.405Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"2021-09-16T22:52:32.759Z\",71544,\"code42-exfil-share-datatype\",\"faaf9d982dbaa8ab547098f1fb6abc81\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.128Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.402Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.280Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335704Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"dc434cced48beee1b8f867474c5cc33d\\\",\\\"sha256Checksum\\\":\\\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.599Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.991Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f31e2487-c55b-515f-b8fc-e0a53f0ef25d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.280Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.991Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"2021-09-16T22:52:32.765Z\",26112,\"code42-exfil-share-datatype\",\"dc434cced48beee1b8f867474c5cc33d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.280Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.599Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.330Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335818Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1b1e7bc04757e673ca956218abdb7959\\\",\\\"sha256Checksum\\\":\\\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.393Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.144Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6cd2b8fc-f731-57c1-86f5-fed67f0957a8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.330Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.144Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"2021-09-16T22:52:32.766Z\",15736,\"code42-exfil-share-datatype\",\"1b1e7bc04757e673ca956218abdb7959\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.330Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.393Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.192Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314319Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.Calc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1333608,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"29b2b242a9fb8c094425d566c50f0958\\\",\\\"sha256Checksum\\\":\\\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.949Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.967Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-34f54f93-f2dd-59f3-a154-10f1707d627b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.192Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.Calc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.967Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"2021-09-16T22:52:32.760Z\",1333608,\"code42-exfil-share-datatype\",\"29b2b242a9fb8c094425d566c50f0958\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.192Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.949Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.191Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337203Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\\\",\\\"fileName\\\":\\\"e_sqlite3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":870400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6844e4b40c797e392e1dddcfae0b8dd4\\\",\\\"sha256Checksum\\\":\\\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\\\",\\\"createTimestamp\\\":\\\"2020-08-20T09:07:00.718Z\\\",\\\"modifyTimestamp\\\":\\\"2020-08-20T09:07:05.686Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-eb7e3801-f619-540e-a8f4-05fc9da73c0c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.191Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"e_sqlite3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-08-20T09:07:05.686Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"2021-09-16T22:52:32.766Z\",870400,\"code42-exfil-share-datatype\",\"6844e4b40c797e392e1dddcfae0b8dd4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.191Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-08-20T09:07:00.718Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.212Z 804e3b095828 Skyformation - 5968313916744927868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500212 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationCore.resources.dll fsize=108400 msg=Resource [Resource: file :: PresentationCore.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.212Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationCore.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.722Z ext_md5Checksum=5d4f96b6a42c28702870a533a7617bd5 ext_sharedWith=[] ext_sha256Checksum=30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=108400 ext_insertionTimestamp=2021-09-16T22:51:15.335548Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.346Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.212Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335548Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"PresentationCore.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":108400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5d4f96b6a42c28702870a533a7617bd5\\\",\\\"sha256Checksum\\\":\\\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.346Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.722Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b903a5a3-b012-5096-a170-05bc5a2946ba\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.212Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationCore.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.722Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\",\"2021-09-16T22:52:32.757Z\",108400,\"code42-exfil-share-datatype\",\"5d4f96b6a42c28702870a533a7617bd5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.212Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.346Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.153Z 804e3b095828 Skyformation - 7743569861848583628 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-timezone-l1-1-0.dll fsize=12152 msg=Resource [Resource: file :: api-ms-win-core-timezone-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-timezone-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.779Z ext_md5Checksum=1036215228ab84a9089baf43196b5347 ext_sharedWith=[] ext_sha256Checksum=5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12152 ext_insertionTimestamp=2021-09-16T22:51:22.314959Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.778Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.153Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314959Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-timezone-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12152,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"1036215228ab84a9089baf43196b5347\\\",\\\"sha256Checksum\\\":\\\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.778Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.779Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-061845c2-9952-5d67-8de4-bc1db5becde4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.153Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-timezone-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.779Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\",\"2021-09-16T22:52:32.755Z\",12152,\"code42-exfil-share-datatype\",\"1036215228ab84a9089baf43196b5347\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.153Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.778Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.108Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336633Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Google.Protobuf.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":401064,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e73f645a041a91618e33299cfe33851\\\",\\\"sha256Checksum\\\":\\\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.060Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-865b0547-28b5-5628-81aa-fd2365d64178\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.108Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Google.Protobuf.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.060Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"2021-09-16T22:52:32.766Z\",401064,\"code42-exfil-share-datatype\",\"5e73f645a041a91618e33299cfe33851\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.108Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.133Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336694Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":144760,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1edab455db5fec76120731d3c11cb67\\\",\\\"sha256Checksum\\\":\\\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.823Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5ee0bfc1-0b98-5a2f-bd7a-e2956ae8bd8c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.133Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.823Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"2021-09-16T22:52:32.761Z\",144760,\"code42-exfil-share-datatype\",\"e1edab455db5fec76120731d3c11cb67\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.133Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.161Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334894Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"981e3dd612e3d93ba10c54e46d378aa5\\\",\\\"sha256Checksum\\\":\\\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.190Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.176Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-25fd1982-75f3-5e52-902d-b527a9cd6267\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.161Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.176Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"2021-09-16T22:52:32.762Z\",17784,\"code42-exfil-share-datatype\",\"981e3dd612e3d93ba10c54e46d378aa5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.161Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.190Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.295Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335136Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5a9f0b52ac62762bd03d34c0e410acb3\\\",\\\"sha256Checksum\\\":\\\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.316Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-24d9af69-669e-5391-ae0b-c18dc61ef987\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.295Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.316Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"2021-09-16T22:52:32.760Z\",15224,\"code42-exfil-share-datatype\",\"5a9f0b52ac62762bd03d34c0e410acb3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.295Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.248Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315215Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"ipcfile.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":519040,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c0ae22d4188ac20d9d83dd26ad0aabe8\\\",\\\"sha256Checksum\\\":\\\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.591Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.599Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-69abadfe-25fd-5e4f-a407-b3da485bbc62\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:44.248Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ipcfile.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.599Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"2021-09-16T22:52:32.766Z\",519040,\"code42-exfil-share-datatype\",\"c0ae22d4188ac20d9d83dd26ad0aabe8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.248Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.591Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.190Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336835Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Logging.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":34168,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47d7a055ee7672f9b54ba629da07a6a3\\\",\\\"sha256Checksum\\\":\\\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a9032f0e-b114-516c-83c5-fcd804f2e56f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.190Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Logging.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"2021-09-16T22:52:32.766Z\",34168,\"code42-exfil-share-datatype\",\"47d7a055ee7672f9b54ba629da07a6a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.190Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337062Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Threading.Channels.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"523c15d2368a36583c90119fd9f52fe7\\\",\\\"sha256Checksum\\\":\\\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.230Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ee91bb4e-5f06-55c9-a35c-5b16e355d85e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Threading.Channels.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.230Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"2021-09-16T22:52:32.766Z\",45952,\"code42-exfil-share-datatype\",\"523c15d2368a36583c90119fd9f52fe7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:47.204Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315494Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\\\",\\\"fileName\\\":\\\"OneDriveSetup.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47927168,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"82a458793a4b821e54408db1a0ae4124\\\",\\\"sha256Checksum\\\":\\\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\\\",\\\"createTimestamp\\\":\\\"2021-09-14T09:30:08.167Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-14T09:29:55.334Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e14fb3f3-aefb-52b4-b546-f90b3b7fd5d2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:47.204Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"OneDriveSetup.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-14T09:29:55.334Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"2021-09-16T22:52:32.761Z\",47927168,\"code42-exfil-share-datatype\",\"82a458793a4b821e54408db1a0ae4124\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:47.204Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-14T09:30:08.167Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.200Z 804e3b095828 Skyformation - 7793293095645548560 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501200 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=25088 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.200Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.082Z ext_md5Checksum=fa2e5b66e169df3e80f8eed33a789fbc ext_sharedWith=[] ext_sha256Checksum=9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=25088 ext_insertionTimestamp=2021-09-16T22:51:15.336201Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.622Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.200Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336201Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":25088,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"fa2e5b66e169df3e80f8eed33a789fbc\\\",\\\"sha256Checksum\\\":\\\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.622Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.082Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e29fa47e-bf50-58cf-9339-6c430ab38a62\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.200Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.082Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\",\"2021-09-16T22:52:32.757Z\",25088,\"code42-exfil-share-datatype\",\"fa2e5b66e169df3e80f8eed33a789fbc\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.200Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.622Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.233Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336279Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":35728,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1b4ed26020dd106aaf2e1a6265dce9d\\\",\\\"sha256Checksum\\\":\\\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.627Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.224Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-36abdf49-657a-59e8-9c6b-bc66f117a563\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.233Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.224Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"2021-09-16T22:52:32.760Z\",35728,\"code42-exfil-share-datatype\",\"e1b4ed26020dd106aaf2e1a6265dce9d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.233Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.627Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.328Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334616Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c329416237b094613fc5f5a64b2ecbce\\\",\\\"sha256Checksum\\\":\\\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.564Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.664Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cb002c03-bff8-50b9-ab6c-38e051f8eaac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:18.328Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.664Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"2021-09-16T22:52:32.765Z\",30720,\"code42-exfil-share-datatype\",\"c329416237b094613fc5f5a64b2ecbce\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.328Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.564Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.199Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315098Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-runtime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":16248,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"439e89fa2d4882b639df5e8ec7a96ba3\\\",\\\"sha256Checksum\\\":\\\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.868Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c5651815-9eb9-5ee5-b593-f145187c5f2b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.199Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-runtime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"2021-09-16T22:52:32.759Z\",16248,\"code42-exfil-share-datatype\",\"439e89fa2d4882b639df5e8ec7a96ba3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.199Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.868Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.130Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336068Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d7b70d7ae944e13019a7796eb46e966c\\\",\\\"sha256Checksum\\\":\\\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.755Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6bbdcb3d-de81-5fa0-9ce8-8196cab49f6d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.130Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.755Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"d7b70d7ae944e13019a7796eb46e966c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.130Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.307Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":53112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0bf7eed5f18b294cd26d33a71c831237\\\",\\\"sha256Checksum\\\":\\\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.377Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.098Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f7c7271c-b02f-55d5-8324-6347f8c2ef43\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.307Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.098Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"2021-09-16T22:52:32.764Z\",53112,\"code42-exfil-share-datatype\",\"0bf7eed5f18b294cd26d33a71c831237\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.307Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.377Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.336Z 804e3b095828 Skyformation - 6096184265000961437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507336 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.HxAccounts.dll fsize=2942464 msg=Resource [Resource: file :: Office.UI.Xaml.HxAccounts.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.336Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.HxAccounts.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.642Z ext_md5Checksum=bae190aeab7c357c1ea766ab9254857c ext_sharedWith=[] ext_sha256Checksum=801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2942464 ext_insertionTimestamp=2021-09-16T22:51:15.337484Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.336Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337484Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"Office.UI.Xaml.HxAccounts.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2942464,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"bae190aeab7c357c1ea766ab9254857c\\\",\\\"sha256Checksum\\\":\\\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:54.642Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7f297a60-2a09-5bd3-9ef1-18510e5792a1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.336Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Office.UI.Xaml.HxAccounts.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:54.642Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\",\"2021-09-16T22:52:32.758Z\",2942464,\"code42-exfil-share-datatype\",\"bae190aeab7c357c1ea766ab9254857c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.336Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.262Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315284Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"msipc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":3022712,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"dcd150947325c51dc49af1c568e76466\\\",\\\"sha256Checksum\\\":\\\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.484Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.519Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3764815d-d2f5-579a-be20-2c6282346cd1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:44.262Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msipc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.519Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"2021-09-16T22:52:32.766Z\",3022712,\"code42-exfil-share-datatype\",\"dcd150947325c51dc49af1c568e76466\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.262Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.484Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.137Z 804e3b095828 Skyformation - 392809219994308060 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521137 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-rtlsupport-l1-1-0.dll fsize=12160 msg=Resource [Resource: file :: api-ms-win-core-rtlsupport-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.137Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-rtlsupport-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.749Z ext_md5Checksum=5bbca69ebadff5aa3456d95a857449f2 ext_sharedWith=[] ext_sha256Checksum=44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12160 ext_insertionTimestamp=2021-09-16T22:51:22.314900Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.748Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.137Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314900Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-rtlsupport-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12160,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"5bbca69ebadff5aa3456d95a857449f2\\\",\\\"sha256Checksum\\\":\\\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.748Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.749Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5bae4ed0-ed1b-5e79-9ed0-91754da9aa59\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.137Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-rtlsupport-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.749Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\",\"2021-09-16T22:52:32.756Z\",12160,\"code42-exfil-share-datatype\",\"5bbca69ebadff5aa3456d95a857449f2\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.137Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.748Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.285Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337054Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":293248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"64efa1bfed847afd252e7af274648474\\\",\\\"sha256Checksum\\\":\\\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-edff67a4-85b1-54b8-8379-dbf469aa9a5d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.285Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"2021-09-16T22:52:32.764Z\",293248,\"code42-exfil-share-datatype\",\"64efa1bfed847afd252e7af274648474\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.285Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336992Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.ComponentModel.Annotations.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":43152,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"7d3d14b0417a68ccdd9c51972ff74863\\\",\\\"sha256Checksum\\\":\\\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8a5e3684-e7b1-5b9f-a209-d7869b01aeb5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ComponentModel.Annotations.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"2021-09-16T22:52:32.766Z\",43152,\"code42-exfil-share-datatype\",\"7d3d14b0417a68ccdd9c51972ff74863\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.246Z 804e3b095828 Skyformation - 750953637013587902 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.725Z ext_md5Checksum=4fa0501c386184a3d8b599ab5bfdd7c2 ext_sharedWith=[] ext_sha256Checksum=72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335055Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.576Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.246Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335055Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20992,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4fa0501c386184a3d8b599ab5bfdd7c2\\\",\\\"sha256Checksum\\\":\\\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.576Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.725Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d0d89806-4329-54f1-92f8-0085c4d17855\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.246Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.725Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\",\"2021-09-16T22:52:32.757Z\",20992,\"code42-exfil-share-datatype\",\"4fa0501c386184a3d8b599ab5bfdd7c2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.246Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.576Z\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages.\",\"type\":\"warning\",\"module\":\"Exabeam\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T09:49:23.287Z\",\"uuid\":\"b2159bf9-6bf6-4a8d-8959-9e8f33d5a856\"}]", "short_description": "Exabeam_domain", "omittedObservables": [], "archivedObservables": [{"key": "322a628a-ad99-4707-8997-7260985f4c11", "value": "darnellw-official-win10.qa.code42.com", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:f0bd0871", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "judgement_id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156"}], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f0bd0871", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "domain", "value": "darnellw-official-win10.qa.code42.com"}, "type": "warning", "action_id": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "darnellw-official-win10.qa.code42.com", "id": "f0bd0871", "judgements": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "schema_version": "1.1.3", "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=darnellw-official-win10.qa.code42.com", "disposition_name": "Unknown", "priority": 90, "id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156", "severity": "Low", "tlp": "white", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "ctr_uuid": "128d81cd-78f2-4744-98b6-d19900625aa0", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.246Z 804e3b095828 Skyformation - 750953637013587902 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.725Z ext_md5Checksum=4fa0501c386184a3d8b599ab5bfdd7c2 ext_sharedWith=[] ext_sha256Checksum=72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335055Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.576Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335055Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4fa0501c386184a3d8b599ab5bfdd7c2\",\"sha256Checksum\":\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\",\"createTimestamp\":\"2021-09-09T09:44:28.576Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.725Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d0d89806-4329-54f1-92f8-0085c4d17855", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.725Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "4fa0501c386184a3d8b599ab5bfdd7c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.576Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8a5e3684-e7b1-5b9f-a209-d7869b01aeb5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edff67a4-85b1-54b8-8379-dbf469aa9a5d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.137Z 804e3b095828 Skyformation - 392809219994308060 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521137 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-rtlsupport-l1-1-0.dll fsize=12160 msg=Resource [Resource: file :: api-ms-win-core-rtlsupport-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.137Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-rtlsupport-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.749Z ext_md5Checksum=5bbca69ebadff5aa3456d95a857449f2 ext_sharedWith=[] ext_sha256Checksum=44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12160 ext_insertionTimestamp=2021-09-16T22:51:22.314900Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.748Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.137Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314900Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-rtlsupport-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12160,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5bbca69ebadff5aa3456d95a857449f2\",\"sha256Checksum\":\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\",\"createTimestamp\":\"2021-09-08T09:32:11.748Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.749Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5bae4ed0-ed1b-5e79-9ed0-91754da9aa59", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.137Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-rtlsupport-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.749Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751", "2021-09-16T22:52:32.756Z", 12160, "code42-exfil-share-datatype", "5bbca69ebadff5aa3456d95a857449f2", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.137Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.748Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3764815d-d2f5-579a-be20-2c6282346cd1", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.336Z 804e3b095828 Skyformation - 6096184265000961437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507336 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.HxAccounts.dll fsize=2942464 msg=Resource [Resource: file :: Office.UI.Xaml.HxAccounts.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.336Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.HxAccounts.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.642Z ext_md5Checksum=bae190aeab7c357c1ea766ab9254857c ext_sharedWith=[] ext_sha256Checksum=801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2942464 ext_insertionTimestamp=2021-09-16T22:51:15.337484Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.336Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337484Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.HxAccounts.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2942464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bae190aeab7c357c1ea766ab9254857c\",\"sha256Checksum\":\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.642Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f297a60-2a09-5bd3-9ef1-18510e5792a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.336Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Office.UI.Xaml.HxAccounts.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.642Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c", "2021-09-16T22:52:32.758Z", 2942464, "code42-exfil-share-datatype", "bae190aeab7c357c1ea766ab9254857c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.336Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f7c7271c-b02f-55d5-8324-6347f8c2ef43", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6bbdcb3d-de81-5fa0-9ce8-8196cab49f6d", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c5651815-9eb9-5ee5-b593-f145187c5f2b", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb002c03-bff8-50b9-ab6c-38e051f8eaac", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36abdf49-657a-59e8-9c6b-bc66f117a563", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.200Z 804e3b095828 Skyformation - 7793293095645548560 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501200 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=25088 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.200Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.082Z ext_md5Checksum=fa2e5b66e169df3e80f8eed33a789fbc ext_sharedWith=[] ext_sha256Checksum=9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=25088 ext_insertionTimestamp=2021-09-16T22:51:15.336201Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.622Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.200Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336201Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":25088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fa2e5b66e169df3e80f8eed33a789fbc\",\"sha256Checksum\":\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\",\"createTimestamp\":\"2021-09-09T09:44:28.622Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e29fa47e-bf50-58cf-9339-6c430ab38a62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.200Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950", "2021-09-16T22:52:32.757Z", 25088, "code42-exfil-share-datatype", "fa2e5b66e169df3e80f8eed33a789fbc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.200Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.622Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e14fb3f3-aefb-52b4-b546-f90b3b7fd5d2", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ee91bb4e-5f06-55c9-a35c-5b16e355d85e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a9032f0e-b114-516c-83c5-fcd804f2e56f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-69abadfe-25fd-5e4f-a407-b3da485bbc62", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-24d9af69-669e-5391-ae0b-c18dc61ef987", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25fd1982-75f3-5e52-902d-b527a9cd6267", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5ee0bfc1-0b98-5a2f-bd7a-e2956ae8bd8c", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-865b0547-28b5-5628-81aa-fd2365d64178", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.153Z 804e3b095828 Skyformation - 7743569861848583628 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-timezone-l1-1-0.dll fsize=12152 msg=Resource [Resource: file :: api-ms-win-core-timezone-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-timezone-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.779Z ext_md5Checksum=1036215228ab84a9089baf43196b5347 ext_sharedWith=[] ext_sha256Checksum=5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12152 ext_insertionTimestamp=2021-09-16T22:51:22.314959Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.778Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314959Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-timezone-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12152,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"1036215228ab84a9089baf43196b5347\",\"sha256Checksum\":\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\",\"createTimestamp\":\"2021-09-08T09:32:11.778Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.779Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-061845c2-9952-5d67-8de4-bc1db5becde4", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-timezone-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.779Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1", "2021-09-16T22:52:32.755Z", 12152, "code42-exfil-share-datatype", "1036215228ab84a9089baf43196b5347", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.778Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.212Z 804e3b095828 Skyformation - 5968313916744927868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500212 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationCore.resources.dll fsize=108400 msg=Resource [Resource: file :: PresentationCore.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.212Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationCore.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.722Z ext_md5Checksum=5d4f96b6a42c28702870a533a7617bd5 ext_sharedWith=[] ext_sha256Checksum=30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=108400 ext_insertionTimestamp=2021-09-16T22:51:15.335548Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.346Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.212Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335548Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"PresentationCore.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":108400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5d4f96b6a42c28702870a533a7617bd5\",\"sha256Checksum\":\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\",\"createTimestamp\":\"2021-08-18T09:55:42.346Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.722Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b903a5a3-b012-5096-a170-05bc5a2946ba", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.212Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationCore.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.722Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7", "2021-09-16T22:52:32.757Z", 108400, "code42-exfil-share-datatype", "5d4f96b6a42c28702870a533a7617bd5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.212Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.346Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb7e3801-f619-540e-a8f4-05fc9da73c0c", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-34f54f93-f2dd-59f3-a154-10f1707d627b", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cd2b8fc-f731-57c1-86f5-fed67f0957a8", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f31e2487-c55b-515f-b8fc-e0a53f0ef25d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91f9087e-ab21-5688-acba-fb1eb85ba5b8", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-428b7375-7e1c-5850-8200-06507b5b34a0", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19161eab-42bb-5946-8a45-838595016d88", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fedbe573-b72a-5077-ba5e-941b4ee49a84", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-38500b3c-d09a-5933-9f12-8ce1bcf80dc7", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea331943-231d-59ae-b045-bf2899370e95", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-89f62135-5d10-5c8b-b5fa-817a2c27a8aa", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dc47da6-f678-5f91-974b-61b966157a34", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-136baa2d-5aea-5b0a-9418-0a52aa609308", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.076Z 804e3b095828 Skyformation - 147196130964191603 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501076 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.076Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.014Z ext_md5Checksum=081d17a68c2295a810e0b139bfa4e114 ext_sharedWith=[] ext_sha256Checksum=99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335934Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.605Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.076Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335934Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"081d17a68c2295a810e0b139bfa4e114\",\"sha256Checksum\":\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\",\"createTimestamp\":\"2021-09-09T09:44:28.605Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.014Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44b73b40-4221-578b-9eae-d3810396510a", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.076Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.014Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038", "2021-09-16T22:52:32.756Z", 20992, "code42-exfil-share-datatype", "081d17a68c2295a810e0b139bfa4e114", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.076Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.605Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a2446362-b761-59ca-b266-481be937f20d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4705bfeb-5768-5df8-b473-f0f8d7e7e6fa", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5083602b-a06b-5d24-af8f-2bfe63c17e91", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.204Z 804e3b095828 Skyformation - 6039121869236992200 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.dll fsize=8971112 msg=Resource [Resource: file :: Microsoft.SharePoint.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.091Z ext_md5Checksum=aa47b460aedf810bc504ff9cea7b4b71 ext_sharedWith=[] ext_sha256Checksum=c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8971112 ext_insertionTimestamp=2021-09-16T22:51:22.314366Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.994Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314366Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8971112,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"aa47b460aedf810bc504ff9cea7b4b71\",\"sha256Checksum\":\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\",\"createTimestamp\":\"2021-09-08T09:32:13.994Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.091Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2501b6d-6041-5a59-b80b-711a0c3b8cd0", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.091Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268", "2021-09-16T22:52:32.758Z", 8971112, "code42-exfil-share-datatype", "aa47b460aedf810bc504ff9cea7b4b71", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.994Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ddd7dd6e-c60a-5d7c-a1c3-0df72e003f42", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5fc598ee-3323-5bd8-b51e-6aa2487ff75f", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1817976c-22c7-5ba2-a2ec-9f106a5188a4", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7b553448-cac0-598c-9207-98392e4a6815", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-821e586f-78f1-5c4b-a330-7c3a4a90e160", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-326df068-94c9-5e34-81e0-c9ea9531369e", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-098fcb07-3723-5a0e-8225-82803059eaf5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.245Z 804e3b095828 Skyformation - 9011587025266222990 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500245 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xaml.resources.dll fsize=64400 msg=Resource [Resource: file :: System.Xaml.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.245Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Xaml.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.879Z ext_md5Checksum=79f7a9435ff548517a7219880789cca3 ext_sharedWith=[] ext_sha256Checksum=030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=64400 ext_insertionTimestamp=2021-09-16T22:51:15.335626Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.245Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335626Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Xaml.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":64400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"79f7a9435ff548517a7219880789cca3\",\"sha256Checksum\":\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-21427167-a3b0-5f52-8702-af47599ee1bb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.245Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xaml.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683", "2021-09-16T22:52:32.758Z", 64400, "code42-exfil-share-datatype", "79f7a9435ff548517a7219880789cca3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.245Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df11e4bd-5223-5ba3-998c-63e5b6a7404f", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fc99d0b-10ae-5866-bcf6-596487b75f28", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.125Z 804e3b095828 Skyformation - 6459940454527848135 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501125 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=37264 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.125Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=0d48b65e82aff3b5d117729868cf0319 ext_sharedWith=[] ext_sha256Checksum=1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37264 ext_insertionTimestamp=2021-09-16T22:51:15.336060Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.125Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336060Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37264,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0d48b65e82aff3b5d117729868cf0319\",\"sha256Checksum\":\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-68df9315-560d-5c70-8845-a14a097e8135", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.125Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d", "2021-09-16T22:52:32.757Z", 37264, "code42-exfil-share-datatype", "0d48b65e82aff3b5d117729868cf0319", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.125Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c63c47b6-7c5e-566e-aa43-5f12c76a8510", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.303Z 804e3b095828 Skyformation - 808043852961842895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=256912 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.082Z ext_md5Checksum=dc8ca3ec6a99318b649dc686002e72d4 ext_sharedWith=[] ext_sha256Checksum=75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=256912 ext_insertionTimestamp=2021-09-16T22:51:15.335757Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335757Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":256912,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc8ca3ec6a99318b649dc686002e72d4\",\"sha256Checksum\":\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-affd0ffb-ec18-572a-a4fd-d077df9f8e38", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c", "2021-09-16T22:52:32.757Z", 256912, "code42-exfil-share-datatype", "dc8ca3ec6a99318b649dc686002e72d4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d401e9a-2cb1-5def-a24d-24a9b8b5ac8b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-59a10cc7-a14c-5876-9451-e86731e2b5a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb64de71-ae43-53b8-99b8-1d60d6a1fce9", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-51e040bc-c210-5e54-ab78-5a8a0241c9ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.139Z 804e3b095828 Skyformation - 675604398557112437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502139 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Common.dll fsize=37240 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Common.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.139Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Common.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=405c72ee27026791aae1d61e63941509 ext_sharedWith=[] ext_sha256Checksum=838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37240 ext_insertionTimestamp=2021-09-16T22:51:15.336712Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.139Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336712Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Common.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"405c72ee27026791aae1d61e63941509\",\"sha256Checksum\":\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f86a975c-9f26-5e51-802f-84c2af9a6932", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.139Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Common.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a", "2021-09-16T22:52:32.756Z", 37240, "code42-exfil-share-datatype", "405c72ee27026791aae1d61e63941509", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.139Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6952810f-046c-5949-8e5d-34f48532431a", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.229Z 804e3b095828 Skyformation - 7367432510121182400 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520229 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Core.dll fsize=5929344 msg=Resource [Resource: file :: Qt5Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.229Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.180Z ext_md5Checksum=0629615fa66f3c3d4f16741c7fc04807 ext_sharedWith=[] ext_sha256Checksum=5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5929344 ext_insertionTimestamp=2021-09-16T22:51:22.314447Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.121Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.229Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314447Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5929344,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"0629615fa66f3c3d4f16741c7fc04807\",\"sha256Checksum\":\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\",\"createTimestamp\":\"2021-09-08T09:32:15.121Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.180Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66babe0b-6e97-52f2-964c-23812722ada2", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.229Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.180Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5", "2021-09-16T22:52:32.756Z", 5929344, "code42-exfil-share-datatype", "0629615fa66f3c3d4f16741c7fc04807", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.229Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.121Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.124Z 804e3b095828 Skyformation - 4266986604087729995 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500124 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.124Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.960Z ext_md5Checksum=303d4e1e6736b01a0e0d418c543c1346 ext_sharedWith=[] ext_sha256Checksum=4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335373Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.124Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335373Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"303d4e1e6736b01a0e0d418c543c1346\",\"sha256Checksum\":\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\",\"createTimestamp\":\"2021-09-09T09:44:28.591Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.960Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3f6c10e2-6344-52d5-8291-7e3610ff01c3", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.124Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.960Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "303d4e1e6736b01a0e0d418c543c1346", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.124Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfa102a1-c14f-54fa-a264-167f1cca11d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.279Z 804e3b095828 Skyformation - 1930420880376628781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507279 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.Ipc.Proxies.dll fsize=15872 msg=Resource [Resource: file :: HxComm.Ipc.Proxies.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.279Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.Ipc.Proxies.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.074Z ext_md5Checksum=cf6b921615692c64ac828dd7a37dd753 ext_sharedWith=[] ext_sha256Checksum=a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15872 ext_insertionTimestamp=2021-09-16T22:51:15.337336Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.279Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337336Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.Ipc.Proxies.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"cf6b921615692c64ac828dd7a37dd753\",\"sha256Checksum\":\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.074Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7581d2d-5489-5d5e-90a1-c3053d0c9faf", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.279Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.Ipc.Proxies.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.074Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1", "2021-09-16T22:52:32.758Z", 15872, "code42-exfil-share-datatype", "cf6b921615692c64ac828dd7a37dd753", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.279Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-017b269d-f20a-556e-98ca-8882048439ca", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7eaa3a3c-8d7d-5542-ba3c-9a16e57c793b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe8ae781-02a0-5307-abd5-6384db4d2597", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5da6e225-f60e-5faa-9c7e-9550e0df63ac", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.303Z 804e3b095828 Skyformation - 2504656101616966541 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WebView2Loader.dll fsize=136576 msg=Resource [Resource: file :: WebView2Loader.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WebView2Loader.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.620Z ext_md5Checksum=82c2b3a8e75ab4fc6cc1360ea2c663e3 ext_sharedWith=[] ext_sha256Checksum=d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=136576 ext_insertionTimestamp=2021-09-16T22:51:22.314656Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314656Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"WebView2Loader.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":136576,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82c2b3a8e75ab4fc6cc1360ea2c663e3\",\"sha256Checksum\":\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\",\"createTimestamp\":\"2021-09-08T09:32:16.618Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.620Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02622f5a-4fce-56fe-901b-863245b815d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WebView2Loader.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.620Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a", "2021-09-16T22:52:32.755Z", 136576, "code42-exfil-share-datatype", "82c2b3a8e75ab4fc6cc1360ea2c663e3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfab61df-0096-5423-8a0c-b2c4dc5b8b98", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-37290152-c41e-56db-908e-bd32da2df133", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-536ae9c9-aa2b-556e-92fa-d090d49269b6", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.098Z 804e3b095828 Skyformation - 7444223728288167550 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508098 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointl30_winrt.dll fsize=86384 msg=Resource [Resource: file :: msointl30_winrt.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.098Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointl30_winrt.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.683Z ext_md5Checksum=18ad415ef30924748d83afeeee4d9cb0 ext_sharedWith=[] ext_sha256Checksum=e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=86384 ext_insertionTimestamp=2021-09-16T22:51:15.337616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.098Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointl30_winrt.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":86384,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18ad415ef30924748d83afeeee4d9cb0\",\"sha256Checksum\":\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.683Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e4dc97b-2030-545d-a650-c48fd51597ec", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.098Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointl30_winrt.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.683Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd", "2021-09-16T22:52:32.758Z", 86384, "code42-exfil-share-datatype", "18ad415ef30924748d83afeeee4d9cb0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.098Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44a1a814-a037-5649-ace1-3f3276228e78", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b44195a-efec-59e6-90b2-a72c680eb96b", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.325Z 804e3b095828 Skyformation - 5312164448627929884 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499325 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=3584 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.325Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.728Z ext_md5Checksum=c62d73c8ea0d55db08cceec7afc7e3cc ext_sharedWith=[] ext_sha256Checksum=2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3584 ext_insertionTimestamp=2021-09-16T22:51:15.335208Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.577Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.325Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335208Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3584,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c62d73c8ea0d55db08cceec7afc7e3cc\",\"sha256Checksum\":\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\",\"createTimestamp\":\"2021-09-09T09:44:28.577Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.728Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cf841002-dfb0-5c90-9fb1-281afd8d004d", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.325Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.728Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd", "2021-09-16T22:52:32.756Z", 3584, "code42-exfil-share-datatype", "c62d73c8ea0d55db08cceec7afc7e3cc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.325Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.577Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d03cc6e3-0d73-5ec3-902a-28c04f19e570", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.175Z 804e3b095828 Skyformation - 937782685410137034 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511175 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=saext.dll fsize=559480 msg=Resource [Resource: file :: saext.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.175Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=saext.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.174Z ext_md5Checksum=4a0f85409681a359adbbda4104daa7fb ext_sharedWith=[] ext_sha256Checksum=046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=559480 ext_insertionTimestamp=2021-09-16T22:51:15.337820Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.175Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"saext.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":559480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a0f85409681a359adbbda4104daa7fb\",\"sha256Checksum\":\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.174Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2113c1b0-3556-58e7-a54a-1004516f2597", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.175Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "saext.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.174Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9", "2021-09-16T22:52:32.758Z", 559480, "code42-exfil-share-datatype", "4a0f85409681a359adbbda4104daa7fb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.175Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-534dea1b-0dc4-5ca4-8133-5b7d820baf25", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fdc9d09f-3af0-54ae-a39c-63221dc894ec", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d693bd9e-8d43-50df-a4ca-e6e50cf7b354", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3dc7244c-e1bd-5b60-bdb4-2cb874a6fd43", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0fff593c-89eb-5aa2-84bb-cb724b886696", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a19de0e9-b0a6-5af1-b5fd-d33b5ca62e22", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-48da0a98-8bf3-5368-898a-38df3042e727", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3b61846d-7e29-5db8-b9ac-8f09a942b29c", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e24a545-12b5-5f9d-b26a-bb7e332d690d", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7a401f3c-d0bf-5d2f-a8fd-832c43bf3a28", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dfd09b1-1bb7-5ed5-8f2d-610478d2f8fa", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.350Z 804e3b095828 Skyformation - 8180994352798970218 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncConfig.exe fsize=635768 msg=Resource [Resource: file :: FileSyncConfig.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncConfig.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.389Z ext_md5Checksum=23843c09217f08eef3def81b6e92e645 ext_sharedWith=[] ext_sha256Checksum=282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=635768 ext_insertionTimestamp=2021-09-16T22:51:15.337907Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.374Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337907Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncConfig.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":635768,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"23843c09217f08eef3def81b6e92e645\",\"sha256Checksum\":\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\",\"createTimestamp\":\"2021-09-08T09:32:12.374Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.389Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d415923a-bee3-570e-b61e-3d5b35de5969", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncConfig.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.389Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99", "2021-09-16T22:52:32.756Z", 635768, "code42-exfil-share-datatype", "23843c09217f08eef3def81b6e92e645", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.374Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.300Z 804e3b095828 Skyformation - 5713470709720643753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520300 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UpdateRingSettings.dll fsize=500600 msg=Resource [Resource: file :: UpdateRingSettings.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.300Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UpdateRingSettings.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.589Z ext_md5Checksum=8670927c143a1e54c0e7d9e7a56159b1 ext_sharedWith=[] ext_sha256Checksum=83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=500600 ext_insertionTimestamp=2021-09-16T22:51:22.314645Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.300Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314645Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"UpdateRingSettings.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":500600,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"8670927c143a1e54c0e7d9e7a56159b1\",\"sha256Checksum\":\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\",\"createTimestamp\":\"2021-09-08T09:32:16.583Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.589Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16d48bab-8124-5e36-b3e0-42349bf00cc4", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.300Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UpdateRingSettings.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.589Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0", "2021-09-16T22:52:32.756Z", 500600, "code42-exfil-share-datatype", "8670927c143a1e54c0e7d9e7a56159b1", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.300Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe18df90-42e5-5d27-991a-1674d0d8c19a", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.196Z 804e3b095828 Skyformation - 5829787252207277270 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499196 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.196Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.222Z ext_md5Checksum=0e8e10650f39cb0b09ba8c47f840530f ext_sharedWith=[] ext_sha256Checksum=f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.334964Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.196Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334964Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0e8e10650f39cb0b09ba8c47f840530f\",\"sha256Checksum\":\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.222Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-279e346e-a172-5393-bce2-3384bb0b5eff", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.196Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.222Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9", "2021-09-16T22:52:32.755Z", 14224, "code42-exfil-share-datatype", "0e8e10650f39cb0b09ba8c47f840530f", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.196Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d50e681f-cbb7-5757-b591-ef459f2fee04", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e9e5d067-489a-514d-9f2a-08e47f979775", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.292Z 804e3b095828 Skyformation - 7352347330459896280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Telemetry.dll fsize=528248 msg=Resource [Resource: file :: Telemetry.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Telemetry.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.528Z ext_md5Checksum=eb3af15f534b067d98dac6a346728096 ext_sharedWith=[] ext_sha256Checksum=51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=528248 ext_insertionTimestamp=2021-09-16T22:51:22.314633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.519Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Telemetry.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":528248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"eb3af15f534b067d98dac6a346728096\",\"sha256Checksum\":\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\",\"createTimestamp\":\"2021-09-08T09:32:16.519Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.528Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2ab229de-8984-5eac-9af7-ee322bfd976e", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Telemetry.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.528Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae", "2021-09-16T22:52:32.758Z", 528248, "code42-exfil-share-datatype", "eb3af15f534b067d98dac6a346728096", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.519Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b66f85d-68f8-5d9c-9c2a-b64a13f332bc", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d912d326-0b65-5278-97f3-daacc2394c00", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12314f44-1778-5595-ad19-9d3d7cfc50fe", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2c21877d-e685-5034-ab53-29f1b1a2b738", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ae30f7b4-650d-56a3-990a-333256499e3b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "191784ee-59ba-492b-97db-c26301c0b926", "observable": {"key": "322a628a-ad99-4707-8997-7260985f4c11", "value": "darnellw-official-win10.qa.code42.com", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:f0bd0871", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "judgement_id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156"}], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f0bd0871", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "domain", "value": "darnellw-official-win10.qa.code42.com"}, "type": "warning", "action_id": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "darnellw-official-win10.qa.code42.com", "id": "f0bd0871", "judgements": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "schema_version": "1.1.3", "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=darnellw-official-win10.qa.code42.com", "disposition_name": "Unknown", "priority": 90, "id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156", "severity": "Low", "tlp": "white", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "ctr_uuid": "128d81cd-78f2-4744-98b6-d19900625aa0", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.246Z 804e3b095828 Skyformation - 750953637013587902 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.725Z ext_md5Checksum=4fa0501c386184a3d8b599ab5bfdd7c2 ext_sharedWith=[] ext_sha256Checksum=72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335055Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.576Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335055Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4fa0501c386184a3d8b599ab5bfdd7c2\",\"sha256Checksum\":\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\",\"createTimestamp\":\"2021-09-09T09:44:28.576Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.725Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d0d89806-4329-54f1-92f8-0085c4d17855", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.725Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "4fa0501c386184a3d8b599ab5bfdd7c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.576Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8a5e3684-e7b1-5b9f-a209-d7869b01aeb5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edff67a4-85b1-54b8-8379-dbf469aa9a5d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.137Z 804e3b095828 Skyformation - 392809219994308060 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521137 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-rtlsupport-l1-1-0.dll fsize=12160 msg=Resource [Resource: file :: api-ms-win-core-rtlsupport-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.137Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-rtlsupport-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.749Z ext_md5Checksum=5bbca69ebadff5aa3456d95a857449f2 ext_sharedWith=[] ext_sha256Checksum=44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12160 ext_insertionTimestamp=2021-09-16T22:51:22.314900Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.748Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.137Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314900Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-rtlsupport-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12160,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5bbca69ebadff5aa3456d95a857449f2\",\"sha256Checksum\":\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\",\"createTimestamp\":\"2021-09-08T09:32:11.748Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.749Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5bae4ed0-ed1b-5e79-9ed0-91754da9aa59", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.137Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-rtlsupport-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.749Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751", "2021-09-16T22:52:32.756Z", 12160, "code42-exfil-share-datatype", "5bbca69ebadff5aa3456d95a857449f2", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.137Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.748Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3764815d-d2f5-579a-be20-2c6282346cd1", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.336Z 804e3b095828 Skyformation - 6096184265000961437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507336 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.HxAccounts.dll fsize=2942464 msg=Resource [Resource: file :: Office.UI.Xaml.HxAccounts.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.336Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.HxAccounts.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.642Z ext_md5Checksum=bae190aeab7c357c1ea766ab9254857c ext_sharedWith=[] ext_sha256Checksum=801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2942464 ext_insertionTimestamp=2021-09-16T22:51:15.337484Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.336Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337484Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.HxAccounts.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2942464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bae190aeab7c357c1ea766ab9254857c\",\"sha256Checksum\":\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.642Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f297a60-2a09-5bd3-9ef1-18510e5792a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.336Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Office.UI.Xaml.HxAccounts.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.642Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c", "2021-09-16T22:52:32.758Z", 2942464, "code42-exfil-share-datatype", "bae190aeab7c357c1ea766ab9254857c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.336Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f7c7271c-b02f-55d5-8324-6347f8c2ef43", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6bbdcb3d-de81-5fa0-9ce8-8196cab49f6d", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c5651815-9eb9-5ee5-b593-f145187c5f2b", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb002c03-bff8-50b9-ab6c-38e051f8eaac", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36abdf49-657a-59e8-9c6b-bc66f117a563", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.200Z 804e3b095828 Skyformation - 7793293095645548560 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501200 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=25088 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.200Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.082Z ext_md5Checksum=fa2e5b66e169df3e80f8eed33a789fbc ext_sharedWith=[] ext_sha256Checksum=9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=25088 ext_insertionTimestamp=2021-09-16T22:51:15.336201Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.622Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.200Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336201Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":25088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fa2e5b66e169df3e80f8eed33a789fbc\",\"sha256Checksum\":\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\",\"createTimestamp\":\"2021-09-09T09:44:28.622Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e29fa47e-bf50-58cf-9339-6c430ab38a62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.200Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950", "2021-09-16T22:52:32.757Z", 25088, "code42-exfil-share-datatype", "fa2e5b66e169df3e80f8eed33a789fbc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.200Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.622Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e14fb3f3-aefb-52b4-b546-f90b3b7fd5d2", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ee91bb4e-5f06-55c9-a35c-5b16e355d85e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a9032f0e-b114-516c-83c5-fcd804f2e56f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-69abadfe-25fd-5e4f-a407-b3da485bbc62", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-24d9af69-669e-5391-ae0b-c18dc61ef987", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25fd1982-75f3-5e52-902d-b527a9cd6267", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5ee0bfc1-0b98-5a2f-bd7a-e2956ae8bd8c", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-865b0547-28b5-5628-81aa-fd2365d64178", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.153Z 804e3b095828 Skyformation - 7743569861848583628 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-timezone-l1-1-0.dll fsize=12152 msg=Resource [Resource: file :: api-ms-win-core-timezone-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-timezone-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.779Z ext_md5Checksum=1036215228ab84a9089baf43196b5347 ext_sharedWith=[] ext_sha256Checksum=5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12152 ext_insertionTimestamp=2021-09-16T22:51:22.314959Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.778Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314959Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-timezone-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12152,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"1036215228ab84a9089baf43196b5347\",\"sha256Checksum\":\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\",\"createTimestamp\":\"2021-09-08T09:32:11.778Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.779Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-061845c2-9952-5d67-8de4-bc1db5becde4", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-timezone-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.779Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1", "2021-09-16T22:52:32.755Z", 12152, "code42-exfil-share-datatype", "1036215228ab84a9089baf43196b5347", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.778Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.212Z 804e3b095828 Skyformation - 5968313916744927868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500212 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationCore.resources.dll fsize=108400 msg=Resource [Resource: file :: PresentationCore.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.212Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationCore.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.722Z ext_md5Checksum=5d4f96b6a42c28702870a533a7617bd5 ext_sharedWith=[] ext_sha256Checksum=30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=108400 ext_insertionTimestamp=2021-09-16T22:51:15.335548Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.346Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.212Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335548Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"PresentationCore.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":108400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5d4f96b6a42c28702870a533a7617bd5\",\"sha256Checksum\":\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\",\"createTimestamp\":\"2021-08-18T09:55:42.346Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.722Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b903a5a3-b012-5096-a170-05bc5a2946ba", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.212Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationCore.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.722Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7", "2021-09-16T22:52:32.757Z", 108400, "code42-exfil-share-datatype", "5d4f96b6a42c28702870a533a7617bd5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.212Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.346Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb7e3801-f619-540e-a8f4-05fc9da73c0c", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-34f54f93-f2dd-59f3-a154-10f1707d627b", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cd2b8fc-f731-57c1-86f5-fed67f0957a8", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f31e2487-c55b-515f-b8fc-e0a53f0ef25d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91f9087e-ab21-5688-acba-fb1eb85ba5b8", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-428b7375-7e1c-5850-8200-06507b5b34a0", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19161eab-42bb-5946-8a45-838595016d88", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fedbe573-b72a-5077-ba5e-941b4ee49a84", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-38500b3c-d09a-5933-9f12-8ce1bcf80dc7", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea331943-231d-59ae-b045-bf2899370e95", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-89f62135-5d10-5c8b-b5fa-817a2c27a8aa", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dc47da6-f678-5f91-974b-61b966157a34", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-136baa2d-5aea-5b0a-9418-0a52aa609308", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.076Z 804e3b095828 Skyformation - 147196130964191603 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501076 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.076Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.014Z ext_md5Checksum=081d17a68c2295a810e0b139bfa4e114 ext_sharedWith=[] ext_sha256Checksum=99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335934Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.605Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.076Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335934Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"081d17a68c2295a810e0b139bfa4e114\",\"sha256Checksum\":\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\",\"createTimestamp\":\"2021-09-09T09:44:28.605Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.014Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44b73b40-4221-578b-9eae-d3810396510a", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.076Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.014Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038", "2021-09-16T22:52:32.756Z", 20992, "code42-exfil-share-datatype", "081d17a68c2295a810e0b139bfa4e114", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.076Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.605Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a2446362-b761-59ca-b266-481be937f20d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4705bfeb-5768-5df8-b473-f0f8d7e7e6fa", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5083602b-a06b-5d24-af8f-2bfe63c17e91", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.204Z 804e3b095828 Skyformation - 6039121869236992200 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.dll fsize=8971112 msg=Resource [Resource: file :: Microsoft.SharePoint.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.091Z ext_md5Checksum=aa47b460aedf810bc504ff9cea7b4b71 ext_sharedWith=[] ext_sha256Checksum=c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8971112 ext_insertionTimestamp=2021-09-16T22:51:22.314366Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.994Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314366Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8971112,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"aa47b460aedf810bc504ff9cea7b4b71\",\"sha256Checksum\":\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\",\"createTimestamp\":\"2021-09-08T09:32:13.994Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.091Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2501b6d-6041-5a59-b80b-711a0c3b8cd0", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.091Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268", "2021-09-16T22:52:32.758Z", 8971112, "code42-exfil-share-datatype", "aa47b460aedf810bc504ff9cea7b4b71", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.994Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ddd7dd6e-c60a-5d7c-a1c3-0df72e003f42", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5fc598ee-3323-5bd8-b51e-6aa2487ff75f", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1817976c-22c7-5ba2-a2ec-9f106a5188a4", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7b553448-cac0-598c-9207-98392e4a6815", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-821e586f-78f1-5c4b-a330-7c3a4a90e160", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-326df068-94c9-5e34-81e0-c9ea9531369e", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-098fcb07-3723-5a0e-8225-82803059eaf5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.245Z 804e3b095828 Skyformation - 9011587025266222990 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500245 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xaml.resources.dll fsize=64400 msg=Resource [Resource: file :: System.Xaml.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.245Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Xaml.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.879Z ext_md5Checksum=79f7a9435ff548517a7219880789cca3 ext_sharedWith=[] ext_sha256Checksum=030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=64400 ext_insertionTimestamp=2021-09-16T22:51:15.335626Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.245Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335626Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Xaml.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":64400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"79f7a9435ff548517a7219880789cca3\",\"sha256Checksum\":\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-21427167-a3b0-5f52-8702-af47599ee1bb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.245Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xaml.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683", "2021-09-16T22:52:32.758Z", 64400, "code42-exfil-share-datatype", "79f7a9435ff548517a7219880789cca3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.245Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df11e4bd-5223-5ba3-998c-63e5b6a7404f", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fc99d0b-10ae-5866-bcf6-596487b75f28", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.125Z 804e3b095828 Skyformation - 6459940454527848135 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501125 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=37264 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.125Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=0d48b65e82aff3b5d117729868cf0319 ext_sharedWith=[] ext_sha256Checksum=1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37264 ext_insertionTimestamp=2021-09-16T22:51:15.336060Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.125Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336060Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37264,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0d48b65e82aff3b5d117729868cf0319\",\"sha256Checksum\":\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-68df9315-560d-5c70-8845-a14a097e8135", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.125Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d", "2021-09-16T22:52:32.757Z", 37264, "code42-exfil-share-datatype", "0d48b65e82aff3b5d117729868cf0319", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.125Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c63c47b6-7c5e-566e-aa43-5f12c76a8510", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.303Z 804e3b095828 Skyformation - 808043852961842895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=256912 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.082Z ext_md5Checksum=dc8ca3ec6a99318b649dc686002e72d4 ext_sharedWith=[] ext_sha256Checksum=75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=256912 ext_insertionTimestamp=2021-09-16T22:51:15.335757Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335757Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":256912,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc8ca3ec6a99318b649dc686002e72d4\",\"sha256Checksum\":\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-affd0ffb-ec18-572a-a4fd-d077df9f8e38", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c", "2021-09-16T22:52:32.757Z", 256912, "code42-exfil-share-datatype", "dc8ca3ec6a99318b649dc686002e72d4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d401e9a-2cb1-5def-a24d-24a9b8b5ac8b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-59a10cc7-a14c-5876-9451-e86731e2b5a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb64de71-ae43-53b8-99b8-1d60d6a1fce9", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-51e040bc-c210-5e54-ab78-5a8a0241c9ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.139Z 804e3b095828 Skyformation - 675604398557112437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502139 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Common.dll fsize=37240 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Common.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.139Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Common.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=405c72ee27026791aae1d61e63941509 ext_sharedWith=[] ext_sha256Checksum=838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37240 ext_insertionTimestamp=2021-09-16T22:51:15.336712Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.139Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336712Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Common.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"405c72ee27026791aae1d61e63941509\",\"sha256Checksum\":\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f86a975c-9f26-5e51-802f-84c2af9a6932", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.139Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Common.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a", "2021-09-16T22:52:32.756Z", 37240, "code42-exfil-share-datatype", "405c72ee27026791aae1d61e63941509", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.139Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6952810f-046c-5949-8e5d-34f48532431a", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.229Z 804e3b095828 Skyformation - 7367432510121182400 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520229 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Core.dll fsize=5929344 msg=Resource [Resource: file :: Qt5Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.229Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.180Z ext_md5Checksum=0629615fa66f3c3d4f16741c7fc04807 ext_sharedWith=[] ext_sha256Checksum=5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5929344 ext_insertionTimestamp=2021-09-16T22:51:22.314447Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.121Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.229Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314447Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5929344,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"0629615fa66f3c3d4f16741c7fc04807\",\"sha256Checksum\":\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\",\"createTimestamp\":\"2021-09-08T09:32:15.121Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.180Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66babe0b-6e97-52f2-964c-23812722ada2", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.229Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.180Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5", "2021-09-16T22:52:32.756Z", 5929344, "code42-exfil-share-datatype", "0629615fa66f3c3d4f16741c7fc04807", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.229Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.121Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.124Z 804e3b095828 Skyformation - 4266986604087729995 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500124 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.124Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.960Z ext_md5Checksum=303d4e1e6736b01a0e0d418c543c1346 ext_sharedWith=[] ext_sha256Checksum=4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335373Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.124Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335373Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"303d4e1e6736b01a0e0d418c543c1346\",\"sha256Checksum\":\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\",\"createTimestamp\":\"2021-09-09T09:44:28.591Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.960Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3f6c10e2-6344-52d5-8291-7e3610ff01c3", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.124Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.960Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "303d4e1e6736b01a0e0d418c543c1346", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.124Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfa102a1-c14f-54fa-a264-167f1cca11d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.279Z 804e3b095828 Skyformation - 1930420880376628781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507279 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.Ipc.Proxies.dll fsize=15872 msg=Resource [Resource: file :: HxComm.Ipc.Proxies.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.279Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.Ipc.Proxies.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.074Z ext_md5Checksum=cf6b921615692c64ac828dd7a37dd753 ext_sharedWith=[] ext_sha256Checksum=a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15872 ext_insertionTimestamp=2021-09-16T22:51:15.337336Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.279Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337336Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.Ipc.Proxies.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"cf6b921615692c64ac828dd7a37dd753\",\"sha256Checksum\":\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.074Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7581d2d-5489-5d5e-90a1-c3053d0c9faf", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.279Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.Ipc.Proxies.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.074Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1", "2021-09-16T22:52:32.758Z", 15872, "code42-exfil-share-datatype", "cf6b921615692c64ac828dd7a37dd753", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.279Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-017b269d-f20a-556e-98ca-8882048439ca", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7eaa3a3c-8d7d-5542-ba3c-9a16e57c793b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe8ae781-02a0-5307-abd5-6384db4d2597", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5da6e225-f60e-5faa-9c7e-9550e0df63ac", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.303Z 804e3b095828 Skyformation - 2504656101616966541 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WebView2Loader.dll fsize=136576 msg=Resource [Resource: file :: WebView2Loader.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WebView2Loader.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.620Z ext_md5Checksum=82c2b3a8e75ab4fc6cc1360ea2c663e3 ext_sharedWith=[] ext_sha256Checksum=d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=136576 ext_insertionTimestamp=2021-09-16T22:51:22.314656Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314656Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"WebView2Loader.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":136576,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82c2b3a8e75ab4fc6cc1360ea2c663e3\",\"sha256Checksum\":\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\",\"createTimestamp\":\"2021-09-08T09:32:16.618Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.620Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02622f5a-4fce-56fe-901b-863245b815d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WebView2Loader.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.620Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a", "2021-09-16T22:52:32.755Z", 136576, "code42-exfil-share-datatype", "82c2b3a8e75ab4fc6cc1360ea2c663e3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfab61df-0096-5423-8a0c-b2c4dc5b8b98", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-37290152-c41e-56db-908e-bd32da2df133", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-536ae9c9-aa2b-556e-92fa-d090d49269b6", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.098Z 804e3b095828 Skyformation - 7444223728288167550 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508098 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointl30_winrt.dll fsize=86384 msg=Resource [Resource: file :: msointl30_winrt.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.098Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointl30_winrt.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.683Z ext_md5Checksum=18ad415ef30924748d83afeeee4d9cb0 ext_sharedWith=[] ext_sha256Checksum=e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=86384 ext_insertionTimestamp=2021-09-16T22:51:15.337616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.098Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointl30_winrt.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":86384,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18ad415ef30924748d83afeeee4d9cb0\",\"sha256Checksum\":\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.683Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e4dc97b-2030-545d-a650-c48fd51597ec", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.098Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointl30_winrt.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.683Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd", "2021-09-16T22:52:32.758Z", 86384, "code42-exfil-share-datatype", "18ad415ef30924748d83afeeee4d9cb0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.098Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44a1a814-a037-5649-ace1-3f3276228e78", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b44195a-efec-59e6-90b2-a72c680eb96b", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.325Z 804e3b095828 Skyformation - 5312164448627929884 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499325 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=3584 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.325Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.728Z ext_md5Checksum=c62d73c8ea0d55db08cceec7afc7e3cc ext_sharedWith=[] ext_sha256Checksum=2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3584 ext_insertionTimestamp=2021-09-16T22:51:15.335208Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.577Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.325Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335208Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3584,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c62d73c8ea0d55db08cceec7afc7e3cc\",\"sha256Checksum\":\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\",\"createTimestamp\":\"2021-09-09T09:44:28.577Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.728Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cf841002-dfb0-5c90-9fb1-281afd8d004d", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.325Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.728Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd", "2021-09-16T22:52:32.756Z", 3584, "code42-exfil-share-datatype", "c62d73c8ea0d55db08cceec7afc7e3cc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.325Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.577Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d03cc6e3-0d73-5ec3-902a-28c04f19e570", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.175Z 804e3b095828 Skyformation - 937782685410137034 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511175 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=saext.dll fsize=559480 msg=Resource [Resource: file :: saext.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.175Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=saext.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.174Z ext_md5Checksum=4a0f85409681a359adbbda4104daa7fb ext_sharedWith=[] ext_sha256Checksum=046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=559480 ext_insertionTimestamp=2021-09-16T22:51:15.337820Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.175Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"saext.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":559480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a0f85409681a359adbbda4104daa7fb\",\"sha256Checksum\":\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.174Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2113c1b0-3556-58e7-a54a-1004516f2597", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.175Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "saext.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.174Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9", "2021-09-16T22:52:32.758Z", 559480, "code42-exfil-share-datatype", "4a0f85409681a359adbbda4104daa7fb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.175Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-534dea1b-0dc4-5ca4-8133-5b7d820baf25", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fdc9d09f-3af0-54ae-a39c-63221dc894ec", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d693bd9e-8d43-50df-a4ca-e6e50cf7b354", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3dc7244c-e1bd-5b60-bdb4-2cb874a6fd43", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0fff593c-89eb-5aa2-84bb-cb724b886696", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a19de0e9-b0a6-5af1-b5fd-d33b5ca62e22", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-48da0a98-8bf3-5368-898a-38df3042e727", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3b61846d-7e29-5db8-b9ac-8f09a942b29c", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e24a545-12b5-5f9d-b26a-bb7e332d690d", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7a401f3c-d0bf-5d2f-a8fd-832c43bf3a28", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dfd09b1-1bb7-5ed5-8f2d-610478d2f8fa", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.350Z 804e3b095828 Skyformation - 8180994352798970218 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncConfig.exe fsize=635768 msg=Resource [Resource: file :: FileSyncConfig.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncConfig.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.389Z ext_md5Checksum=23843c09217f08eef3def81b6e92e645 ext_sharedWith=[] ext_sha256Checksum=282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=635768 ext_insertionTimestamp=2021-09-16T22:51:15.337907Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.374Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337907Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncConfig.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":635768,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"23843c09217f08eef3def81b6e92e645\",\"sha256Checksum\":\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\",\"createTimestamp\":\"2021-09-08T09:32:12.374Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.389Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d415923a-bee3-570e-b61e-3d5b35de5969", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncConfig.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.389Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99", "2021-09-16T22:52:32.756Z", 635768, "code42-exfil-share-datatype", "23843c09217f08eef3def81b6e92e645", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.374Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.300Z 804e3b095828 Skyformation - 5713470709720643753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520300 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UpdateRingSettings.dll fsize=500600 msg=Resource [Resource: file :: UpdateRingSettings.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.300Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UpdateRingSettings.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.589Z ext_md5Checksum=8670927c143a1e54c0e7d9e7a56159b1 ext_sharedWith=[] ext_sha256Checksum=83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=500600 ext_insertionTimestamp=2021-09-16T22:51:22.314645Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.300Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314645Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"UpdateRingSettings.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":500600,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"8670927c143a1e54c0e7d9e7a56159b1\",\"sha256Checksum\":\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\",\"createTimestamp\":\"2021-09-08T09:32:16.583Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.589Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16d48bab-8124-5e36-b3e0-42349bf00cc4", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.300Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UpdateRingSettings.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.589Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0", "2021-09-16T22:52:32.756Z", 500600, "code42-exfil-share-datatype", "8670927c143a1e54c0e7d9e7a56159b1", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.300Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe18df90-42e5-5d27-991a-1674d0d8c19a", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.196Z 804e3b095828 Skyformation - 5829787252207277270 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499196 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.196Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.222Z ext_md5Checksum=0e8e10650f39cb0b09ba8c47f840530f ext_sharedWith=[] ext_sha256Checksum=f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.334964Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.196Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334964Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0e8e10650f39cb0b09ba8c47f840530f\",\"sha256Checksum\":\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.222Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-279e346e-a172-5393-bce2-3384bb0b5eff", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.196Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.222Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9", "2021-09-16T22:52:32.755Z", 14224, "code42-exfil-share-datatype", "0e8e10650f39cb0b09ba8c47f840530f", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.196Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d50e681f-cbb7-5757-b591-ef459f2fee04", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e9e5d067-489a-514d-9f2a-08e47f979775", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.292Z 804e3b095828 Skyformation - 7352347330459896280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Telemetry.dll fsize=528248 msg=Resource [Resource: file :: Telemetry.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Telemetry.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.528Z ext_md5Checksum=eb3af15f534b067d98dac6a346728096 ext_sharedWith=[] ext_sha256Checksum=51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=528248 ext_insertionTimestamp=2021-09-16T22:51:22.314633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.519Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Telemetry.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":528248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"eb3af15f534b067d98dac6a346728096\",\"sha256Checksum\":\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\",\"createTimestamp\":\"2021-09-08T09:32:16.519Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.528Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2ab229de-8984-5eac-9af7-ee322bfd976e", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Telemetry.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.528Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae", "2021-09-16T22:52:32.758Z", 528248, "code42-exfil-share-datatype", "eb3af15f534b067d98dac6a346728096", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.519Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b66f85d-68f8-5d9c-9c2a-b64a13f332bc", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d912d326-0b65-5278-97f3-daacc2394c00", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12314f44-1778-5595-ad19-9d3d7cfc50fe", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2c21877d-e685-5034-ab53-29f1b1a2b738", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ae30f7b4-650d-56a3-990a-333256499e3b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f0bd0871", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "domain", "value": "darnellw-official-win10.qa.code42.com"}, "type": "warning", "action_id": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "domain", "value": "darnellw-official-win10.qa.code42.com", "id": "f0bd0871"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-9dcbc1ae-0064-450d-8415-8c7297a32c72", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T09:49:47.000Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
+{"schema_version": "1.1.3", "type": "investigation", "search-txt": "domain:\"darnellw-official-win10.qa.code42.com\"", "actions": "[{\"arg\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"created\":\"2021-09-17T09:49:18.287Z\",\"id\":\"collect-e525936f\",\"result\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T09:49:18.501Z\",\"uuid\":\"05730f0b-9c26-48d8-b2bc-d2c1d77457ac\"},{\"arg\":{\"type\":\"domain\",\"value\":\"darnellw-official-win10.qa.code42.com\"},\"created\":\"2021-09-17T09:49:18.517Z\",\"id\":\"investigate-cfd01cb9\",\"result\":{\"data\":[{\"module\":\"Talos Intelligence\",\"module_instance_id\":\"f14a7465-a77a-4e28-8b97-23706a56eab5\",\"module_type_id\":\"2460c99b-2f01-523b-a65d-30a3c6603245\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"},\"judgement_id\":\"transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156\",\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2024-09-20T09:49:18.897Z\",\"end_time\":\"2024-10-20T09:49:18.897Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2024-09-20T09:49:18.897Z\",\"end_time\":\"2024-10-20T09:49:18.897Z\"},\"schema_version\":\"1.1.3\",\"observable\":{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"},\"type\":\"judgement\",\"source\":\"Talos Intelligence\",\"disposition\":5,\"reason\":\"Neutral Talos Intelligence reputation score\",\"source_uri\":\"https://www.talosintelligence.com/reputation_center/lookup?search=darnellw-official-win10.qa.code42.com\",\"disposition_name\":\"Unknown\",\"priority\":90,\"id\":\"transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156\",\"severity\":\"Low\",\"tlp\":\"white\",\"confidence\":\"High\"}]}}},{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335653Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6b163d1438afbe087bb895d76ea393e7\\\",\\\"sha256Checksum\\\":\\\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.926Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ae30f7b4-650d-56a3-990a-333256499e3b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.926Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"2021-09-16T22:52:32.760Z\",14200,\"code42-exfil-share-datatype\",\"6b163d1438afbe087bb895d76ea393e7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.172Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336782Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Binder.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":24952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f97d210b3ede360f920e2b1d5b702d6b\\\",\\\"sha256Checksum\\\":\\\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2c21877d-e685-5034-ab53-29f1b1a2b738\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.172Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Binder.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"2021-09-16T22:52:32.763Z\",24952,\"code42-exfil-share-datatype\",\"f97d210b3ede360f920e2b1d5b702d6b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.172Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:31.153Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337748Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"msoimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11529088,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3f7fb1d32a7be58e65dc615a9553e183\\\",\\\"sha256Checksum\\\":\\\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:53.564Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-12314f44-1778-5595-ad19-9d3d7cfc50fe\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:31.153Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msoimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:53.564Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"2021-09-16T22:52:32.766Z\",11529088,\"code42-exfil-share-datatype\",\"3f7fb1d32a7be58e65dc615a9553e183\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:31.153Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336563Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"AutoMapper.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":286720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff3c3d84a000d57ef7d443f594d407ec\\\",\\\"sha256Checksum\\\":\\\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\\\",\\\"createTimestamp\\\":\\\"2021-06-17T09:48:12.583Z\\\",\\\"modifyTimestamp\\\":\\\"2021-06-17T09:48:17.915Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d912d326-0b65-5278-97f3-daacc2394c00\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"AutoMapper.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-06-17T09:48:17.915Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"2021-09-16T22:52:32.759Z\",286720,\"code42-exfil-share-datatype\",\"ff3c3d84a000d57ef7d443f594d407ec\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-06-17T09:48:12.583Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.102Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335997Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":31744,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"88d5e6253dcb376fb076c87713b3628e\\\",\\\"sha256Checksum\\\":\\\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.614Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.054Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6b66f85d-68f8-5d9c-9c2a-b64a13f332bc\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.102Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.054Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"2021-09-16T22:52:32.766Z\",31744,\"code42-exfil-share-datatype\",\"88d5e6253dcb376fb076c87713b3628e\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.102Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.614Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.292Z 804e3b095828 Skyformation - 7352347330459896280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Telemetry.dll fsize=528248 msg=Resource [Resource: file :: Telemetry.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Telemetry.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.528Z ext_md5Checksum=eb3af15f534b067d98dac6a346728096 ext_sharedWith=[] ext_sha256Checksum=51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=528248 ext_insertionTimestamp=2021-09-16T22:51:22.314633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.519Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314633Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Telemetry.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":528248,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"eb3af15f534b067d98dac6a346728096\\\",\\\"sha256Checksum\\\":\\\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:16.519Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:16.528Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2ab229de-8984-5eac-9af7-ee322bfd976e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Telemetry.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:16.528Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\",\"2021-09-16T22:52:32.758Z\",528248,\"code42-exfil-share-datatype\",\"eb3af15f534b067d98dac6a346728096\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.292Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:16.519Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.123Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337678Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"igxim.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4910872,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d19ae43d04b6c5c4b5f3fcc081b9e602\\\",\\\"sha256Checksum\\\":\\\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e9e5d067-489a-514d-9f2a-08e47f979775\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:28.123Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"igxim.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"2021-09-16T22:52:32.759Z\",4910872,\"code42-exfil-share-datatype\",\"d19ae43d04b6c5c4b5f3fcc081b9e602\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.123Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.136Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336703Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"987db26b17dc24d5b7dec25db1c103c2\\\",\\\"sha256Checksum\\\":\\\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.839Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d50e681f-cbb7-5757-b591-ef459f2fee04\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.136Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.839Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"2021-09-16T22:52:32.759Z\",18296,\"code42-exfil-share-datatype\",\"987db26b17dc24d5b7dec25db1c103c2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.136Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.196Z 804e3b095828 Skyformation - 5829787252207277270 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499196 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.196Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.222Z ext_md5Checksum=0e8e10650f39cb0b09ba8c47f840530f ext_sharedWith=[] ext_sha256Checksum=f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.334964Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.196Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334964Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0e8e10650f39cb0b09ba8c47f840530f\\\",\\\"sha256Checksum\\\":\\\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.190Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.222Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-279e346e-a172-5393-bce2-3384bb0b5eff\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.196Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.222Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\",\"2021-09-16T22:52:32.755Z\",14224,\"code42-exfil-share-datatype\",\"0e8e10650f39cb0b09ba8c47f840530f\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.196Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.190Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.331Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337467Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"Office.UI.Xaml.Core.winmd\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":20280,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d16aec0e28a5f509a04722edf62e01eb\\\",\\\"sha256Checksum\\\":\\\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:54.439Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fe18df90-42e5-5d27-991a-1674d0d8c19a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.331Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Office.UI.Xaml.Core.winmd\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:54.439Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"2021-09-16T22:52:32.764Z\",20280,\"code42-exfil-share-datatype\",\"d16aec0e28a5f509a04722edf62e01eb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.331Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.300Z 804e3b095828 Skyformation - 5713470709720643753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520300 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UpdateRingSettings.dll fsize=500600 msg=Resource [Resource: file :: UpdateRingSettings.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.300Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UpdateRingSettings.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.589Z ext_md5Checksum=8670927c143a1e54c0e7d9e7a56159b1 ext_sharedWith=[] ext_sha256Checksum=83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=500600 ext_insertionTimestamp=2021-09-16T22:51:22.314645Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.300Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314645Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"UpdateRingSettings.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":500600,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"8670927c143a1e54c0e7d9e7a56159b1\\\",\\\"sha256Checksum\\\":\\\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:16.583Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:16.589Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-16d48bab-8124-5e36-b3e0-42349bf00cc4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.300Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UpdateRingSettings.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:16.589Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\",\"2021-09-16T22:52:32.756Z\",500600,\"code42-exfil-share-datatype\",\"8670927c143a1e54c0e7d9e7a56159b1\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.300Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:16.583Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:39.350Z 804e3b095828 Skyformation - 8180994352798970218 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncConfig.exe fsize=635768 msg=Resource [Resource: file :: FileSyncConfig.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncConfig.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.389Z ext_md5Checksum=23843c09217f08eef3def81b6e92e645 ext_sharedWith=[] ext_sha256Checksum=282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=635768 ext_insertionTimestamp=2021-09-16T22:51:15.337907Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.374Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:39.350Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337907Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSyncConfig.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":635768,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"23843c09217f08eef3def81b6e92e645\\\",\\\"sha256Checksum\\\":\\\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:12.374Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:12.389Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d415923a-bee3-570e-b61e-3d5b35de5969\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:39.350Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSyncConfig.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:12.389Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\",\"2021-09-16T22:52:32.756Z\",635768,\"code42-exfil-share-datatype\",\"23843c09217f08eef3def81b6e92e645\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:39.350Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:12.374Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.194Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336844Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Options.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":50552,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"89c3d573e8b2e5a71850a69f14fff1a5\\\",\\\"sha256Checksum\\\":\\\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5dfd09b1-1bb7-5ed5-8f2d-610478d2f8fa\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.194Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Options.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"2021-09-16T22:52:32.763Z\",50552,\"code42-exfil-share-datatype\",\"89c3d573e8b2e5a71850a69f14fff1a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.194Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.316Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336422Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":36240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e2dd338ceac0daebdfdf99d72e40fd80\\\",\\\"sha256Checksum\\\":\\\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.349Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7a401f3c-d0bf-5d2f-a8fd-832c43bf3a28\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.316Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.349Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"2021-09-16T22:52:32.761Z\",36240,\"code42-exfil-share-datatype\",\"e2dd338ceac0daebdfdf99d72e40fd80\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.316Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.309Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337398Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxOutlook.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1439232,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"845c649d20d35fc78fbab0c0d9ec5ec6\\\",\\\"sha256Checksum\\\":\\\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.168Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4e24a545-12b5-5f9d-b26a-bb7e332d690d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.309Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxOutlook.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.168Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"2021-09-16T22:52:32.761Z\",1439232,\"code42-exfil-share-datatype\",\"845c649d20d35fc78fbab0c0d9ec5ec6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.309Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:39.345Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337890Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSync.Resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2382208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"3c69d0029f27ff52a1b4d3f70fef0d2b\\\",\\\"sha256Checksum\\\":\\\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:12.114Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:12.146Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3b61846d-7e29-5db8-b9ac-8f09a942b29c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:39.345Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSync.Resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:12.146Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"2021-09-16T22:52:32.760Z\",2382208,\"code42-exfil-share-datatype\",\"3c69d0029f27ff52a1b4d3f70fef0d2b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:39.345Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:12.114Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.322Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335199Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"WindowsFormsIntegration.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\\\",\\\"sha256Checksum\\\":\\\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.379Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-48da0a98-8bf3-5368-898a-38df3042e727\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.322Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsFormsIntegration.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.379Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"2021-09-16T22:52:32.766Z\",14736,\"code42-exfil-share-datatype\",\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.322Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336139Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f96e04ea6cbce1560b83bff7a42f29b0\\\",\\\"sha256Checksum\\\":\\\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a19de0e9-b0a6-5af1-b5fd-d33b5ca62e22\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"2021-09-16T22:52:32.763Z\",14224,\"code42-exfil-share-datatype\",\"f96e04ea6cbce1560b83bff7a42f29b0\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337186Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"YourPhoneServer.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47104,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"640c3b31c496531dacc0a8fb830fd457\\\",\\\"sha256Checksum\\\":\\\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.653Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.484Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0fff593c-89eb-5aa2-84bb-cb724b886696\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneServer.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.484Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"2021-09-16T22:52:32.765Z\",47104,\"code42-exfil-share-datatype\",\"640c3b31c496531dacc0a8fb830fd457\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.653Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.184Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337194Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"libnanoapimanaged.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7197696,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff0f788645e78335908728321c10454b\\\",\\\"sha256Checksum\\\":\\\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.638Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.359Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3dc7244c-e1bd-5b60-bdb4-2cb874a6fd43\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.184Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"libnanoapimanaged.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.359Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"2021-09-16T22:52:32.759Z\",7197696,\"code42-exfil-share-datatype\",\"ff0f788645e78335908728321c10454b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.184Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.638Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315122Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-string-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f340a17ac423c71767d66973f69d05c8\\\",\\\"sha256Checksum\\\":\\\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.882Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.883Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d693bd9e-8d43-50df-a4ca-e6e50cf7b354\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-string-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.883Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"2021-09-16T22:52:32.761Z\",18296,\"code42-exfil-share-datatype\",\"f340a17ac423c71767d66973f69d05c8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.882Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.089Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336572Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Castle.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":442368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2fba45e50a9fb187e9873416bc6b4400\\\",\\\"sha256Checksum\\\":\\\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.137Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:05.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fdc9d09f-3af0-54ae-a39c-63221dc894ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.089Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Castle.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:05.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"2021-09-16T22:52:32.760Z\",442368,\"code42-exfil-share-datatype\",\"2fba45e50a9fb187e9873416bc6b4400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.089Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.137Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.100Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337625Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\\\",\\\"fileName\\\":\\\"msointlimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":377184,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"99d060c13d92442ea518ad6c13305532\\\",\\\"sha256Checksum\\\":\\\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.887Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:50.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-534dea1b-0dc4-5ca4-8133-5b7d820baf25\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:28.100Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msointlimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:50.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"2021-09-16T22:52:32.765Z\",377184,\"code42-exfil-share-datatype\",\"99d060c13d92442ea518ad6c13305532\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.100Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.887Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:31.175Z 804e3b095828 Skyformation - 937782685410137034 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511175 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=saext.dll fsize=559480 msg=Resource [Resource: file :: saext.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.175Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=saext.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.174Z ext_md5Checksum=4a0f85409681a359adbbda4104daa7fb ext_sharedWith=[] ext_sha256Checksum=046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=559480 ext_insertionTimestamp=2021-09-16T22:51:15.337820Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:31.175Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337820Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"saext.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":559480,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4a0f85409681a359adbbda4104daa7fb\\\",\\\"sha256Checksum\\\":\\\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:55.174Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2113c1b0-3556-58e7-a54a-1004516f2597\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:31.175Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"saext.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:55.174Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\",\"2021-09-16T22:52:32.758Z\",559480,\"code42-exfil-share-datatype\",\"4a0f85409681a359adbbda4104daa7fb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:31.175Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.241Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335618Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d1b7ec7c3a95ec1e84117bfef59f1ab6\\\",\\\"sha256Checksum\\\":\\\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.863Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d03cc6e3-0d73-5ec3-902a-28c04f19e570\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.241Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.863Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"2021-09-16T22:52:32.765Z\",15240,\"code42-exfil-share-datatype\",\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.241Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.325Z 804e3b095828 Skyformation - 5312164448627929884 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499325 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=3584 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.325Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.728Z ext_md5Checksum=c62d73c8ea0d55db08cceec7afc7e3cc ext_sharedWith=[] ext_sha256Checksum=2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3584 ext_insertionTimestamp=2021-09-16T22:51:15.335208Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.577Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.325Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335208Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":3584,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c62d73c8ea0d55db08cceec7afc7e3cc\\\",\\\"sha256Checksum\\\":\\\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.577Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.728Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cf841002-dfb0-5c90-9fb1-281afd8d004d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.325Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.728Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\",\"2021-09-16T22:52:32.756Z\",3584,\"code42-exfil-share-datatype\",\"c62d73c8ea0d55db08cceec7afc7e3cc\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.325Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.577Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.132Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334824Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b81fa8bc88192c7febd2479638aea569\\\",\\\"sha256Checksum\\\":\\\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.158Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.113Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6b44195a-efec-59e6-90b2-a72c680eb96b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.132Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.113Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"b81fa8bc88192c7febd2479638aea569\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.132Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.158Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.411Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314807Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-libraryloader-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"94d4e2bb8654b77c41cd35574e3f0299\\\",\\\"sha256Checksum\\\":\\\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.401Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.402Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-44a1a814-a037-5649-ace1-3f3276228e78\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.411Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.402Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"2021-09-16T22:52:32.762Z\",12664,\"code42-exfil-share-datatype\",\"94d4e2bb8654b77c41cd35574e3f0299\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.411Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.401Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.098Z 804e3b095828 Skyformation - 7444223728288167550 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508098 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointl30_winrt.dll fsize=86384 msg=Resource [Resource: file :: msointl30_winrt.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.098Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointl30_winrt.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.683Z ext_md5Checksum=18ad415ef30924748d83afeeee4d9cb0 ext_sharedWith=[] ext_sha256Checksum=e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=86384 ext_insertionTimestamp=2021-09-16T22:51:15.337616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.098Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337616Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\\\",\\\"fileName\\\":\\\"msointl30_winrt.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":86384,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"18ad415ef30924748d83afeeee4d9cb0\\\",\\\"sha256Checksum\\\":\\\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.887Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:50.683Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7e4dc97b-2030-545d-a650-c48fd51597ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:28.098Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msointl30_winrt.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:50.683Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\",\"2021-09-16T22:52:32.758Z\",86384,\"code42-exfil-share-datatype\",\"18ad415ef30924748d83afeeee4d9cb0\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.098Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.887Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.268Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334477Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45448,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c9ea75b02fd1d01f87d8ca868c1ec833\\\",\\\"sha256Checksum\\\":\\\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.111Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:47.879Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-536ae9c9-aa2b-556e-92fa-d090d49269b6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:18.268Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:47.879Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"2021-09-16T22:52:32.759Z\",45448,\"code42-exfil-share-datatype\",\"c9ea75b02fd1d01f87d8ca868c1ec833\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.268Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.111Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.105Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336624Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"DotNetty.Transport.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":254464,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4a67dcf64aab4980b9bd9fb623cc7242\\\",\\\"sha256Checksum\\\":\\\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.044Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-37290152-c41e-56db-908e-bd32da2df133\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.105Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"DotNetty.Transport.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.044Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"2021-09-16T22:52:32.765Z\",254464,\"code42-exfil-share-datatype\",\"4a67dcf64aab4980b9bd9fb623cc7242\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.105Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.250Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336984Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Collections.Immutable.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":302216,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d8203aedaabeac1e606cd0e2af397d01\\\",\\\"sha256Checksum\\\":\\\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.294Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-dfab61df-0096-5423-8a0c-b2c4dc5b8b98\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.250Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Collections.Immutable.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.294Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"2021-09-16T22:52:32.760Z\",302216,\"code42-exfil-share-datatype\",\"d8203aedaabeac1e606cd0e2af397d01\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.250Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.303Z 804e3b095828 Skyformation - 2504656101616966541 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WebView2Loader.dll fsize=136576 msg=Resource [Resource: file :: WebView2Loader.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WebView2Loader.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.620Z ext_md5Checksum=82c2b3a8e75ab4fc6cc1360ea2c663e3 ext_sharedWith=[] ext_sha256Checksum=d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=136576 ext_insertionTimestamp=2021-09-16T22:51:22.314656Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.303Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314656Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"WebView2Loader.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":136576,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"82c2b3a8e75ab4fc6cc1360ea2c663e3\\\",\\\"sha256Checksum\\\":\\\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:16.618Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:16.620Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-02622f5a-4fce-56fe-901b-863245b815d6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.303Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WebView2Loader.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:16.620Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\",\"2021-09-16T22:52:32.755Z\",136576,\"code42-exfil-share-datatype\",\"82c2b3a8e75ab4fc6cc1360ea2c663e3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.303Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:16.618Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.201Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314355Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.WebSocketClient.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1103208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"e93c70df0faa580e8272c9c833238352\\\",\\\"sha256Checksum\\\":\\\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.457Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.468Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5da6e225-f60e-5faa-9c7e-9550e0df63ac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.201Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.WebSocketClient.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.468Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"2021-09-16T22:52:32.763Z\",1103208,\"code42-exfil-share-datatype\",\"e93c70df0faa580e8272c9c833238352\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.201Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.457Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.219Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336922Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Newtonsoft.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":653824,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f33cbe589b769956284868104686cc2d\\\",\\\"sha256Checksum\\\":\\\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.618Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.588Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fe8ae781-02a0-5307-abd5-6384db4d2597\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.219Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Newtonsoft.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.588Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"2021-09-16T22:52:32.761Z\",653824,\"code42-exfil-share-datatype\",\"f33cbe589b769956284868104686cc2d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.219Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.618Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.168Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336774Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Abstractions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":21368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1c8f3a5d41fd162943613952097db8b\\\",\\\"sha256Checksum\\\":\\\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7eaa3a3c-8d7d-5542-ba3c-9a16e57c793b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.168Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"2021-09-16T22:52:32.765Z\",21368,\"code42-exfil-share-datatype\",\"e1c8f3a5d41fd162943613952097db8b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.168Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.234Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314470Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5Gui.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6671232,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f53d5cd7837e933cf4cc8c07a1a88350\\\",\\\"sha256Checksum\\\":\\\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.375Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.450Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-017b269d-f20a-556e-98ca-8882048439ca\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.234Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5Gui.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.450Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"2021-09-16T22:52:32.762Z\",6671232,\"code42-exfil-share-datatype\",\"f53d5cd7837e933cf4cc8c07a1a88350\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.234Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.375Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.279Z 804e3b095828 Skyformation - 1930420880376628781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507279 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.Ipc.Proxies.dll fsize=15872 msg=Resource [Resource: file :: HxComm.Ipc.Proxies.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.279Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.Ipc.Proxies.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.074Z ext_md5Checksum=cf6b921615692c64ac828dd7a37dd753 ext_sharedWith=[] ext_sha256Checksum=a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15872 ext_insertionTimestamp=2021-09-16T22:51:15.337336Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.279Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337336Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxComm.Ipc.Proxies.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15872,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"cf6b921615692c64ac828dd7a37dd753\\\",\\\"sha256Checksum\\\":\\\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.074Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a7581d2d-5489-5d5e-90a1-c3053d0c9faf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.279Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxComm.Ipc.Proxies.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.074Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\",\"2021-09-16T22:52:32.758Z\",15872,\"code42-exfil-share-datatype\",\"cf6b921615692c64ac828dd7a37dd753\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.279Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.409Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314795Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-interlocked-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11640,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"72413f1254d09348dab76ee4e5e2e300\\\",\\\"sha256Checksum\\\":\\\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.394Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.395Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-dfa102a1-c14f-54fa-a264-167f1cca11d6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.409Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-interlocked-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.395Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"2021-09-16T22:52:32.767Z\",11640,\"code42-exfil-share-datatype\",\"72413f1254d09348dab76ee4e5e2e300\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.409Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.394Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.124Z 804e3b095828 Skyformation - 4266986604087729995 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500124 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.124Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.960Z ext_md5Checksum=303d4e1e6736b01a0e0d418c543c1346 ext_sharedWith=[] ext_sha256Checksum=4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335373Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.124Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335373Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20992,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"303d4e1e6736b01a0e0d418c543c1346\\\",\\\"sha256Checksum\\\":\\\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.591Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.960Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3f6c10e2-6344-52d5-8291-7e3610ff01c3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.124Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.960Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\",\"2021-09-16T22:52:32.757Z\",20992,\"code42-exfil-share-datatype\",\"303d4e1e6736b01a0e0d418c543c1346\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.124Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.591Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.229Z 804e3b095828 Skyformation - 7367432510121182400 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520229 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Core.dll fsize=5929344 msg=Resource [Resource: file :: Qt5Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.229Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.180Z ext_md5Checksum=0629615fa66f3c3d4f16741c7fc04807 ext_sharedWith=[] ext_sha256Checksum=5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5929344 ext_insertionTimestamp=2021-09-16T22:51:22.314447Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.121Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.229Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314447Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":5929344,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"0629615fa66f3c3d4f16741c7fc04807\\\",\\\"sha256Checksum\\\":\\\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.121Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.180Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-66babe0b-6e97-52f2-964c-23812722ada2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.229Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.180Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\",\"2021-09-16T22:52:32.756Z\",5929344,\"code42-exfil-share-datatype\",\"0629615fa66f3c3d4f16741c7fc04807\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.229Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.121Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.246Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336975Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Buffers.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20856,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ecdfe8ede869d2ccc6bf99981ea96400\\\",\\\"sha256Checksum\\\":\\\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.607Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6952810f-046c-5949-8e5d-34f48532431a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.246Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Buffers.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.607Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"2021-09-16T22:52:32.759Z\",20856,\"code42-exfil-share-datatype\",\"ecdfe8ede869d2ccc6bf99981ea96400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.246Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.139Z 804e3b095828 Skyformation - 675604398557112437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502139 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Common.dll fsize=37240 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Common.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.139Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Common.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=405c72ee27026791aae1d61e63941509 ext_sharedWith=[] ext_sha256Checksum=838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37240 ext_insertionTimestamp=2021-09-16T22:51:15.336712Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.139Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336712Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Common.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":37240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"405c72ee27026791aae1d61e63941509\\\",\\\"sha256Checksum\\\":\\\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.839Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f86a975c-9f26-5e51-802f-84c2af9a6932\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.139Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Common.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.839Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\",\"2021-09-16T22:52:32.756Z\",37240,\"code42-exfil-share-datatype\",\"405c72ee27026791aae1d61e63941509\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.139Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.231Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314459Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5DBus.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":437624,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"d10cb4ac9a26d6350f1079399351e9d3\\\",\\\"sha256Checksum\\\":\\\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.238Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.354Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-51e040bc-c210-5e54-ab78-5a8a0241c9ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.231Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5DBus.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.354Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"2021-09-16T22:52:32.760Z\",437624,\"code42-exfil-share-datatype\",\"d10cb4ac9a26d6350f1079399351e9d3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.231Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.238Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335338Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"mscorrc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":13176,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"fc24926593d08479a7ed2bdaff458d20\\\",\\\"sha256Checksum\\\":\\\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.252Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.613Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bb64de71-ae43-53b8-99b8-1d60d6a1fce9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"mscorrc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.613Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"2021-09-16T22:52:32.759Z\",13176,\"code42-exfil-share-datatype\",\"fc24926593d08479a7ed2bdaff458d20\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.252Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337345Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxComm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":22965248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3bf2cfa3eeecd650c9564a2b6543b398\\\",\\\"sha256Checksum\\\":\\\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:51.480Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-59a10cc7-a14c-5876-9451-e86731e2b5a1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxComm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:51.480Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"2021-09-16T22:52:32.760Z\",22965248,\"code42-exfil-share-datatype\",\"3bf2cfa3eeecd650c9564a2b6543b398\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.163Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335444Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b5cb4e7532586d8ec2a144fe895ef55d\\\",\\\"sha256Checksum\\\":\\\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.330Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.707Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1d401e9a-2cb1-5def-a24d-24a9b8b5ac8b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.163Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.707Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"2021-09-16T22:52:32.765Z\",17272,\"code42-exfil-share-datatype\",\"b5cb4e7532586d8ec2a144fe895ef55d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.163Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.330Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.303Z 804e3b095828 Skyformation - 808043852961842895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=256912 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.082Z ext_md5Checksum=dc8ca3ec6a99318b649dc686002e72d4 ext_sharedWith=[] ext_sha256Checksum=75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=256912 ext_insertionTimestamp=2021-09-16T22:51:15.335757Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.303Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335757Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"PresentationFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":256912,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"dc8ca3ec6a99318b649dc686002e72d4\\\",\\\"sha256Checksum\\\":\\\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.377Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.082Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-affd0ffb-ec18-572a-a4fd-d077df9f8e38\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.303Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.082Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\",\"2021-09-16T22:52:32.757Z\",256912,\"code42-exfil-share-datatype\",\"dc8ca3ec6a99318b649dc686002e72d4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.303Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.377Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335722Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\\\",\\\"sha256Checksum\\\":\\\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.598Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.987Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c63c47b6-7c5e-566e-aa43-5f12c76a8510\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.987Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"2021-09-16T22:52:32.761Z\",26112,\"code42-exfil-share-datatype\",\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.598Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.125Z 804e3b095828 Skyformation - 6459940454527848135 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501125 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=37264 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.125Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=0d48b65e82aff3b5d117729868cf0319 ext_sharedWith=[] ext_sha256Checksum=1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37264 ext_insertionTimestamp=2021-09-16T22:51:15.336060Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.125Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336060Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":37264,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0d48b65e82aff3b5d117729868cf0319\\\",\\\"sha256Checksum\\\":\\\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.755Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-68df9315-560d-5c70-8845-a14a097e8135\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.125Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.755Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\",\"2021-09-16T22:52:32.757Z\",37264,\"code42-exfil-share-datatype\",\"0d48b65e82aff3b5d117729868cf0319\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.125Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:30.321Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337686Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"inktotextengineimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":346480,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3579a936952da7532c4358700bed43a3\\\",\\\"sha256Checksum\\\":\\\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.674Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8fc99d0b-10ae-5866-bcf6-596487b75f28\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:30.321Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"inktotextengineimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.674Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"2021-09-16T22:52:32.762Z\",346480,\"code42-exfil-share-datatype\",\"3579a936952da7532c4358700bed43a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:30.321Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.391Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314714Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-debug-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"5c7fa0b68872c2d1d3f10601e3af2341\\\",\\\"sha256Checksum\\\":\\\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.181Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.185Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-df11e4bd-5223-5ba3-998c-63e5b6a7404f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.391Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-debug-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.185Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"2021-09-16T22:52:32.758Z\",11648,\"code42-exfil-share-datatype\",\"5c7fa0b68872c2d1d3f10601e3af2341\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.391Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.181Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.245Z 804e3b095828 Skyformation - 9011587025266222990 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500245 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xaml.resources.dll fsize=64400 msg=Resource [Resource: file :: System.Xaml.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.245Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Xaml.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.879Z ext_md5Checksum=79f7a9435ff548517a7219880789cca3 ext_sharedWith=[] ext_sha256Checksum=030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=64400 ext_insertionTimestamp=2021-09-16T22:51:15.335626Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.245Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335626Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"System.Xaml.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":64400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"79f7a9435ff548517a7219880789cca3\\\",\\\"sha256Checksum\\\":\\\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.879Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-21427167-a3b0-5f52-8702-af47599ee1bb\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.245Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xaml.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.879Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\",\"2021-09-16T22:52:32.758Z\",64400,\"code42-exfil-share-datatype\",\"79f7a9435ff548517a7219880789cca3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.245Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337045Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Encodings.Web.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":59768,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2e2490a823b4a3d290a98d0371d199ed\\\",\\\"sha256Checksum\\\":\\\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-098fcb07-3723-5a0e-8225-82803059eaf5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Encodings.Web.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"2021-09-16T22:52:32.766Z\",59768,\"code42-exfil-share-datatype\",\"2e2490a823b4a3d290a98d0371d199ed\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.216Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337256Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"libnanoapi.lib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":1570,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"bb41b302cf1325c4f459616da8e605a2\\\",\\\"sha256Checksum\\\":\\\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.468Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:30.262Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-archive\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-326df068-94c9-5e34-81e0-c9ea9531369e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.216Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libnanoapi.lib\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:30.262Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"2021-09-16T22:52:32.763Z\",1570,\"code42-exfil-share-datatype\",\"bb41b302cf1325c4f459616da8e605a2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"Archive\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.216Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.468Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314702Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-datetime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"98cfeaa96192d5dccc4a1852f6754fd5\\\",\\\"sha256Checksum\\\":\\\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.142Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.155Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-821e586f-78f1-5c4b-a330-7c3a4a90e160\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-datetime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.155Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"2021-09-16T22:52:32.762Z\",11648,\"code42-exfil-share-datatype\",\"98cfeaa96192d5dccc4a1852f6754fd5\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.388Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.142Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.278Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336341Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"UIAutomationClient.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18320,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e55e4041d9e6f6bf0d3738a25255913\\\",\\\"sha256Checksum\\\":\\\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.271Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7b553448-cac0-598c-9207-98392e4a6815\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.278Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationClient.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.271Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"2021-09-16T22:52:32.762Z\",18320,\"code42-exfil-share-datatype\",\"5e55e4041d9e6f6bf0d3738a25255913\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.278Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.060Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335277Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1ac89288b8009c9a0fb138fb9d67b150\\\",\\\"sha256Checksum\\\":\\\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.586Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.943Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1817976c-22c7-5ba2-a2ec-9f106a5188a4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.060Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.943Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"2021-09-16T22:52:32.763Z\",30720,\"code42-exfil-share-datatype\",\"1ac89288b8009c9a0fb138fb9d67b150\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.060Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.586Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336218Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"vcruntime140_cor3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":97160,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"18049f6811fc0f94547189a9e104f5d2\\\",\\\"sha256Checksum\\\":\\\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.611Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.958Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5fc598ee-3323-5bd8-b51e-6aa2487ff75f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"vcruntime140_cor3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.958Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"2021-09-16T22:52:32.762Z\",97160,\"code42-exfil-share-datatype\",\"18049f6811fc0f94547189a9e104f5d2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.611Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335127Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":355192,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47613e3bfa408b3299c04d0df45433ba\\\",\\\"sha256Checksum\\\":\\\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.301Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ddd7dd6e-c60a-5d7c-a1c3-0df72e003f42\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.301Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"2021-09-16T22:52:32.763Z\",355192,\"code42-exfil-share-datatype\",\"47613e3bfa408b3299c04d0df45433ba\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.292Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.204Z 804e3b095828 Skyformation - 6039121869236992200 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.dll fsize=8971112 msg=Resource [Resource: file :: Microsoft.SharePoint.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.091Z ext_md5Checksum=aa47b460aedf810bc504ff9cea7b4b71 ext_sharedWith=[] ext_sha256Checksum=c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8971112 ext_insertionTimestamp=2021-09-16T22:51:22.314366Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.994Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.204Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314366Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":8971112,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"aa47b460aedf810bc504ff9cea7b4b71\\\",\\\"sha256Checksum\\\":\\\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.994Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.091Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b2501b6d-6041-5a59-b80b-711a0c3b8cd0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.204Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.091Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\",\"2021-09-16T22:52:32.758Z\",8971112,\"code42-exfil-share-datatype\",\"aa47b460aedf810bc504ff9cea7b4b71\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.204Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.994Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:46.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315412Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\\\",\\\"fileName\\\":\\\"qtquickextrasplugin.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":80256,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"68118cdf04def6c50804a705773bbd9b\\\",\\\"sha256Checksum\\\":\\\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:21.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:21.223Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5083602b-a06b-5d24-af8f-2bfe63c17e91\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:46.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"qtquickextrasplugin.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:21.223Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"2021-09-16T22:52:32.765Z\",80256,\"code42-exfil-share-datatype\",\"68118cdf04def6c50804a705773bbd9b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:46.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:21.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.207Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314378Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":729448,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"4bb5499613eca0fe0670a3cab2d5318e\\\",\\\"sha256Checksum\\\":\\\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.205Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.217Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4705bfeb-5768-5df8-b473-f0f8d7e7e6fa\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.207Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.217Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"2021-09-16T22:52:32.764Z\",729448,\"code42-exfil-share-datatype\",\"4bb5499613eca0fe0670a3cab2d5318e\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.207Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.205Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.146Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335417Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"PresentationFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":208784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"beeb465b9ab84dbb8f78f866924d49fe\\\",\\\"sha256Checksum\\\":\\\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.315Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.676Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a2446362-b761-59ca-b266-481be937f20d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.146Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.676Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"2021-09-16T22:52:32.766Z\",208784,\"code42-exfil-share-datatype\",\"beeb465b9ab84dbb8f78f866924d49fe\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.146Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.315Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.076Z 804e3b095828 Skyformation - 147196130964191603 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501076 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.076Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.014Z ext_md5Checksum=081d17a68c2295a810e0b139bfa4e114 ext_sharedWith=[] ext_sha256Checksum=99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335934Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.605Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.076Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335934Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20992,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"081d17a68c2295a810e0b139bfa4e114\\\",\\\"sha256Checksum\\\":\\\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.605Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.014Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-44b73b40-4221-578b-9eae-d3810396510a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.076Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.014Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\",\"2021-09-16T22:52:32.756Z\",20992,\"code42-exfil-share-datatype\",\"081d17a68c2295a810e0b139bfa4e114\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.076Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.605Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.350Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337538Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"TextEntityExtractorProxy.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":638976,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f8af1754c0bdb86deb1f68930784d580\\\",\\\"sha256Checksum\\\":\\\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:55.205Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-136baa2d-5aea-5b0a-9418-0a52aa609308\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.350Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"TextEntityExtractorProxy.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:55.205Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"2021-09-16T22:52:32.767Z\",638976,\"code42-exfil-share-datatype\",\"f8af1754c0bdb86deb1f68930784d580\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.350Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.090Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335347Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":19968,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b2f71614b51575b117cfa4356d851423\\\",\\\"sha256Checksum\\\":\\\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.589Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.950Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5dc47da6-f678-5f91-974b-61b966157a34\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.090Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.950Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"2021-09-16T22:52:32.761Z\",19968,\"code42-exfil-share-datatype\",\"b2f71614b51575b117cfa4356d851423\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.090Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.589Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:47:48.222Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:50.885010Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/\\\",\\\"fileName\\\":\\\"sshd.pid\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":6,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"4ae3b17c6481c84809152f331f7d783c\\\",\\\"sha256Checksum\\\":\\\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\\\",\\\"createTimestamp\\\":\\\"2021-03-17T09:49:37.832Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T09:39:11.904Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-89f62135-5d10-5c8b-b5fa-817a2c27a8aa\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:47:48.222Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"sshd.pid\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T09:39:11.904Z\",\"application/octet-stream\",\"MODIFIED\",\"162.222.47.183\",\"darnell.waters\",\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"2021-09-16T22:58:29.756Z\",6,\"code42-exfil-share-datatype\",\"4ae3b17c6481c84809152f331f7d783c\",57848,\"false\",\"TRUE\",\"C:/\",\"Document\",\"Administrators\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:47:48.222Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-03-17T09:49:37.832Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314982Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-conio-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c61e3c9099cc2b143cc93bf26ac01d34\\\",\\\"sha256Checksum\\\":\\\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ea331943-231d-59ae-b045-bf2899370e95\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-conio-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.790Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"2021-09-16T22:52:32.763Z\",12664,\"code42-exfil-share-datatype\",\"c61e3c9099cc2b143cc93bf26ac01d34\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.790Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.134Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336077Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.Design.Editors.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":78200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3feb5a138ff178c1dd47a8a99f394517\\\",\\\"sha256Checksum\\\":\\\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.771Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-38500b3c-d09a-5933-9f12-8ce1bcf80dc7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.134Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.Design.Editors.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.771Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"2021-09-16T22:52:32.759Z\",78200,\"code42-exfil-share-datatype\",\"3feb5a138ff178c1dd47a8a99f394517\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.134Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.160Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336148Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"077bb8ca6a783006aacb63d08317c339\\\",\\\"sha256Checksum\\\":\\\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61471_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fedbe573-b72a-5077-ba5e-941b4ee49a84\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.160Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"2021-09-16T22:52:32.764Z\",17272,\"code42-exfil-share-datatype\",\"077bb8ca6a783006aacb63d08317c339\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.160Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.284Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337354Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxCommModel.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4250624,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1d0bcfa0671f607ba8e3ab53f893e8bb\\\",\\\"sha256Checksum\\\":\\\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.137Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-19161eab-42bb-5946-8a45-838595016d88\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.284Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxCommModel.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.137Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"2021-09-16T22:52:32.763Z\",4250624,\"code42-exfil-share-datatype\",\"1d0bcfa0671f607ba8e3ab53f893e8bb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.284Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.166Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Caching.Memory.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":32120,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"9e7c8d18c1128488df0dea96a6b5be3c\\\",\\\"sha256Checksum\\\":\\\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.247Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-428b7375-7e1c-5850-8200-06507b5b34a0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.166Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Caching.Memory.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.247Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"2021-09-16T22:52:32.764Z\",32120,\"code42-exfil-share-datatype\",\"9e7c8d18c1128488df0dea96a6b5be3c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.166Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.128Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337977Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSyncTelemetryExtensions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":71544,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"faaf9d982dbaa8ab547098f1fb6abc81\\\",\\\"sha256Checksum\\\":\\\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.402Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.405Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-91f9087e-ab21-5688-acba-fb1eb85ba5b8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.128Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSyncTelemetryExtensions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.405Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"2021-09-16T22:52:32.759Z\",71544,\"code42-exfil-share-datatype\",\"faaf9d982dbaa8ab547098f1fb6abc81\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.128Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.402Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.280Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335704Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"dc434cced48beee1b8f867474c5cc33d\\\",\\\"sha256Checksum\\\":\\\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.599Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.991Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f31e2487-c55b-515f-b8fc-e0a53f0ef25d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.280Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.991Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"2021-09-16T22:52:32.765Z\",26112,\"code42-exfil-share-datatype\",\"dc434cced48beee1b8f867474c5cc33d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.280Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.599Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.330Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335818Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1b1e7bc04757e673ca956218abdb7959\\\",\\\"sha256Checksum\\\":\\\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.393Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.144Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6cd2b8fc-f731-57c1-86f5-fed67f0957a8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.330Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.144Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"2021-09-16T22:52:32.766Z\",15736,\"code42-exfil-share-datatype\",\"1b1e7bc04757e673ca956218abdb7959\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.330Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.393Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.192Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314319Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.Calc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1333608,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"29b2b242a9fb8c094425d566c50f0958\\\",\\\"sha256Checksum\\\":\\\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.949Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.967Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-34f54f93-f2dd-59f3-a154-10f1707d627b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.192Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.Calc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.967Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"2021-09-16T22:52:32.760Z\",1333608,\"code42-exfil-share-datatype\",\"29b2b242a9fb8c094425d566c50f0958\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.192Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.949Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.191Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337203Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\\\",\\\"fileName\\\":\\\"e_sqlite3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":870400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6844e4b40c797e392e1dddcfae0b8dd4\\\",\\\"sha256Checksum\\\":\\\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\\\",\\\"createTimestamp\\\":\\\"2020-08-20T09:07:00.718Z\\\",\\\"modifyTimestamp\\\":\\\"2020-08-20T09:07:05.686Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-eb7e3801-f619-540e-a8f4-05fc9da73c0c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.191Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"e_sqlite3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-08-20T09:07:05.686Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"2021-09-16T22:52:32.766Z\",870400,\"code42-exfil-share-datatype\",\"6844e4b40c797e392e1dddcfae0b8dd4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.191Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-08-20T09:07:00.718Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.212Z 804e3b095828 Skyformation - 5968313916744927868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500212 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationCore.resources.dll fsize=108400 msg=Resource [Resource: file :: PresentationCore.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.212Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationCore.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.722Z ext_md5Checksum=5d4f96b6a42c28702870a533a7617bd5 ext_sharedWith=[] ext_sha256Checksum=30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=108400 ext_insertionTimestamp=2021-09-16T22:51:15.335548Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.346Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.212Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335548Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"PresentationCore.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":108400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5d4f96b6a42c28702870a533a7617bd5\\\",\\\"sha256Checksum\\\":\\\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.346Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.722Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b903a5a3-b012-5096-a170-05bc5a2946ba\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.212Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationCore.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.722Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\",\"2021-09-16T22:52:32.757Z\",108400,\"code42-exfil-share-datatype\",\"5d4f96b6a42c28702870a533a7617bd5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.212Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.346Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.153Z 804e3b095828 Skyformation - 7743569861848583628 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-timezone-l1-1-0.dll fsize=12152 msg=Resource [Resource: file :: api-ms-win-core-timezone-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-timezone-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.779Z ext_md5Checksum=1036215228ab84a9089baf43196b5347 ext_sharedWith=[] ext_sha256Checksum=5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12152 ext_insertionTimestamp=2021-09-16T22:51:22.314959Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.778Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.153Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314959Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-timezone-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12152,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"1036215228ab84a9089baf43196b5347\\\",\\\"sha256Checksum\\\":\\\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.778Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.779Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-061845c2-9952-5d67-8de4-bc1db5becde4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.153Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-timezone-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.779Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\",\"2021-09-16T22:52:32.755Z\",12152,\"code42-exfil-share-datatype\",\"1036215228ab84a9089baf43196b5347\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.153Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.778Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.108Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336633Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Google.Protobuf.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":401064,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e73f645a041a91618e33299cfe33851\\\",\\\"sha256Checksum\\\":\\\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.060Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-865b0547-28b5-5628-81aa-fd2365d64178\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.108Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Google.Protobuf.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.060Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"2021-09-16T22:52:32.766Z\",401064,\"code42-exfil-share-datatype\",\"5e73f645a041a91618e33299cfe33851\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.108Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.133Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336694Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":144760,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1edab455db5fec76120731d3c11cb67\\\",\\\"sha256Checksum\\\":\\\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.823Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5ee0bfc1-0b98-5a2f-bd7a-e2956ae8bd8c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.133Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.823Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"2021-09-16T22:52:32.761Z\",144760,\"code42-exfil-share-datatype\",\"e1edab455db5fec76120731d3c11cb67\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.133Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.161Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334894Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"981e3dd612e3d93ba10c54e46d378aa5\\\",\\\"sha256Checksum\\\":\\\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.190Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.176Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-25fd1982-75f3-5e52-902d-b527a9cd6267\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.161Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.176Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"2021-09-16T22:52:32.762Z\",17784,\"code42-exfil-share-datatype\",\"981e3dd612e3d93ba10c54e46d378aa5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.161Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.190Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.295Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335136Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5a9f0b52ac62762bd03d34c0e410acb3\\\",\\\"sha256Checksum\\\":\\\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.316Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-24d9af69-669e-5391-ae0b-c18dc61ef987\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.295Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.316Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"2021-09-16T22:52:32.760Z\",15224,\"code42-exfil-share-datatype\",\"5a9f0b52ac62762bd03d34c0e410acb3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.295Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.248Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315215Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"ipcfile.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":519040,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c0ae22d4188ac20d9d83dd26ad0aabe8\\\",\\\"sha256Checksum\\\":\\\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.591Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.599Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-69abadfe-25fd-5e4f-a407-b3da485bbc62\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:44.248Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ipcfile.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.599Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"2021-09-16T22:52:32.766Z\",519040,\"code42-exfil-share-datatype\",\"c0ae22d4188ac20d9d83dd26ad0aabe8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.248Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.591Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.190Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336835Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Logging.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":34168,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47d7a055ee7672f9b54ba629da07a6a3\\\",\\\"sha256Checksum\\\":\\\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a9032f0e-b114-516c-83c5-fcd804f2e56f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.190Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Logging.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"2021-09-16T22:52:32.766Z\",34168,\"code42-exfil-share-datatype\",\"47d7a055ee7672f9b54ba629da07a6a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.190Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337062Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Threading.Channels.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"523c15d2368a36583c90119fd9f52fe7\\\",\\\"sha256Checksum\\\":\\\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.230Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ee91bb4e-5f06-55c9-a35c-5b16e355d85e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Threading.Channels.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.230Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"2021-09-16T22:52:32.766Z\",45952,\"code42-exfil-share-datatype\",\"523c15d2368a36583c90119fd9f52fe7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:47.204Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315494Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\\\",\\\"fileName\\\":\\\"OneDriveSetup.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47927168,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"82a458793a4b821e54408db1a0ae4124\\\",\\\"sha256Checksum\\\":\\\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\\\",\\\"createTimestamp\\\":\\\"2021-09-14T09:30:08.167Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-14T09:29:55.334Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e14fb3f3-aefb-52b4-b546-f90b3b7fd5d2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:47.204Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"OneDriveSetup.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-14T09:29:55.334Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"2021-09-16T22:52:32.761Z\",47927168,\"code42-exfil-share-datatype\",\"82a458793a4b821e54408db1a0ae4124\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:47.204Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-14T09:30:08.167Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.200Z 804e3b095828 Skyformation - 7793293095645548560 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501200 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=25088 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.200Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.082Z ext_md5Checksum=fa2e5b66e169df3e80f8eed33a789fbc ext_sharedWith=[] ext_sha256Checksum=9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=25088 ext_insertionTimestamp=2021-09-16T22:51:15.336201Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.622Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.200Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336201Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":25088,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"fa2e5b66e169df3e80f8eed33a789fbc\\\",\\\"sha256Checksum\\\":\\\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.622Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.082Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e29fa47e-bf50-58cf-9339-6c430ab38a62\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.200Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.082Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\",\"2021-09-16T22:52:32.757Z\",25088,\"code42-exfil-share-datatype\",\"fa2e5b66e169df3e80f8eed33a789fbc\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.200Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.622Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.233Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336279Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":35728,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1b4ed26020dd106aaf2e1a6265dce9d\\\",\\\"sha256Checksum\\\":\\\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.627Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.224Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-36abdf49-657a-59e8-9c6b-bc66f117a563\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.233Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.224Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"2021-09-16T22:52:32.760Z\",35728,\"code42-exfil-share-datatype\",\"e1b4ed26020dd106aaf2e1a6265dce9d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.233Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.627Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.328Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334616Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c329416237b094613fc5f5a64b2ecbce\\\",\\\"sha256Checksum\\\":\\\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.564Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.664Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cb002c03-bff8-50b9-ab6c-38e051f8eaac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:18.328Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.664Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"2021-09-16T22:52:32.765Z\",30720,\"code42-exfil-share-datatype\",\"c329416237b094613fc5f5a64b2ecbce\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.328Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.564Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.199Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315098Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-runtime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":16248,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"439e89fa2d4882b639df5e8ec7a96ba3\\\",\\\"sha256Checksum\\\":\\\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.868Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c5651815-9eb9-5ee5-b593-f145187c5f2b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.199Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-runtime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"2021-09-16T22:52:32.759Z\",16248,\"code42-exfil-share-datatype\",\"439e89fa2d4882b639df5e8ec7a96ba3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.199Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.868Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.130Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336068Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d7b70d7ae944e13019a7796eb46e966c\\\",\\\"sha256Checksum\\\":\\\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.755Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6bbdcb3d-de81-5fa0-9ce8-8196cab49f6d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.130Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.755Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"d7b70d7ae944e13019a7796eb46e966c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.130Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.307Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":53112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0bf7eed5f18b294cd26d33a71c831237\\\",\\\"sha256Checksum\\\":\\\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.377Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.098Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f7c7271c-b02f-55d5-8324-6347f8c2ef43\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.307Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.098Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"2021-09-16T22:52:32.764Z\",53112,\"code42-exfil-share-datatype\",\"0bf7eed5f18b294cd26d33a71c831237\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.307Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.377Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.336Z 804e3b095828 Skyformation - 6096184265000961437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507336 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.HxAccounts.dll fsize=2942464 msg=Resource [Resource: file :: Office.UI.Xaml.HxAccounts.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.336Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.HxAccounts.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.642Z ext_md5Checksum=bae190aeab7c357c1ea766ab9254857c ext_sharedWith=[] ext_sha256Checksum=801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2942464 ext_insertionTimestamp=2021-09-16T22:51:15.337484Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.336Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337484Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"Office.UI.Xaml.HxAccounts.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2942464,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"bae190aeab7c357c1ea766ab9254857c\\\",\\\"sha256Checksum\\\":\\\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:54.642Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7f297a60-2a09-5bd3-9ef1-18510e5792a1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.336Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Office.UI.Xaml.HxAccounts.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:54.642Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\",\"2021-09-16T22:52:32.758Z\",2942464,\"code42-exfil-share-datatype\",\"bae190aeab7c357c1ea766ab9254857c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.336Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.262Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315284Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"msipc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":3022712,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"dcd150947325c51dc49af1c568e76466\\\",\\\"sha256Checksum\\\":\\\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.484Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.519Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3764815d-d2f5-579a-be20-2c6282346cd1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:44.262Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msipc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.519Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"2021-09-16T22:52:32.766Z\",3022712,\"code42-exfil-share-datatype\",\"dcd150947325c51dc49af1c568e76466\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.262Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.484Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.137Z 804e3b095828 Skyformation - 392809219994308060 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521137 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-rtlsupport-l1-1-0.dll fsize=12160 msg=Resource [Resource: file :: api-ms-win-core-rtlsupport-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.137Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-rtlsupport-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.749Z ext_md5Checksum=5bbca69ebadff5aa3456d95a857449f2 ext_sharedWith=[] ext_sha256Checksum=44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12160 ext_insertionTimestamp=2021-09-16T22:51:22.314900Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.748Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.137Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314900Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-rtlsupport-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12160,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"5bbca69ebadff5aa3456d95a857449f2\\\",\\\"sha256Checksum\\\":\\\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.748Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.749Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5bae4ed0-ed1b-5e79-9ed0-91754da9aa59\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.137Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-rtlsupport-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.749Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\",\"2021-09-16T22:52:32.756Z\",12160,\"code42-exfil-share-datatype\",\"5bbca69ebadff5aa3456d95a857449f2\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.137Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.748Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.285Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337054Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":293248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"64efa1bfed847afd252e7af274648474\\\",\\\"sha256Checksum\\\":\\\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-edff67a4-85b1-54b8-8379-dbf469aa9a5d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.285Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"2021-09-16T22:52:32.764Z\",293248,\"code42-exfil-share-datatype\",\"64efa1bfed847afd252e7af274648474\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.285Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336992Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.ComponentModel.Annotations.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":43152,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"7d3d14b0417a68ccdd9c51972ff74863\\\",\\\"sha256Checksum\\\":\\\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8a5e3684-e7b1-5b9f-a209-d7869b01aeb5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ComponentModel.Annotations.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"2021-09-16T22:52:32.766Z\",43152,\"code42-exfil-share-datatype\",\"7d3d14b0417a68ccdd9c51972ff74863\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.246Z 804e3b095828 Skyformation - 750953637013587902 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.725Z ext_md5Checksum=4fa0501c386184a3d8b599ab5bfdd7c2 ext_sharedWith=[] ext_sha256Checksum=72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335055Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.576Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.246Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335055Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20992,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4fa0501c386184a3d8b599ab5bfdd7c2\\\",\\\"sha256Checksum\\\":\\\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.576Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.725Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"darnellw-official-win10.qa.code42.com\",\"type\":\"domain\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d0d89806-4329-54f1-92f8-0085c4d17855\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.246Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.725Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\",\"2021-09-16T22:52:32.757Z\",20992,\"code42-exfil-share-datatype\",\"4fa0501c386184a3d8b599ab5bfdd7c2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.246Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.576Z\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages.\",\"type\":\"warning\",\"module\":\"Exabeam\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T09:49:23.287Z\",\"uuid\":\"b2159bf9-6bf6-4a8d-8959-9e8f33d5a856\"}]", "short_description": "Exabeam_domain", "omittedObservables": [], "archivedObservables": [{"key": "322a628a-ad99-4707-8997-7260985f4c11", "value": "darnellw-official-win10.qa.code42.com", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:f0bd0871", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "judgement_id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156"}], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f0bd0871", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "domain", "value": "darnellw-official-win10.qa.code42.com"}, "type": "warning", "action_id": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "darnellw-official-win10.qa.code42.com", "id": "f0bd0871", "judgements": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "schema_version": "1.1.3", "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=darnellw-official-win10.qa.code42.com", "disposition_name": "Unknown", "priority": 90, "id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156", "severity": "Low", "tlp": "white", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "ctr_uuid": "128d81cd-78f2-4744-98b6-d19900625aa0", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.246Z 804e3b095828 Skyformation - 750953637013587902 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.725Z ext_md5Checksum=4fa0501c386184a3d8b599ab5bfdd7c2 ext_sharedWith=[] ext_sha256Checksum=72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335055Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.576Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335055Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4fa0501c386184a3d8b599ab5bfdd7c2\",\"sha256Checksum\":\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\",\"createTimestamp\":\"2021-09-09T09:44:28.576Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.725Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d0d89806-4329-54f1-92f8-0085c4d17855", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.725Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "4fa0501c386184a3d8b599ab5bfdd7c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.576Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8a5e3684-e7b1-5b9f-a209-d7869b01aeb5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edff67a4-85b1-54b8-8379-dbf469aa9a5d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.137Z 804e3b095828 Skyformation - 392809219994308060 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521137 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-rtlsupport-l1-1-0.dll fsize=12160 msg=Resource [Resource: file :: api-ms-win-core-rtlsupport-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.137Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-rtlsupport-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.749Z ext_md5Checksum=5bbca69ebadff5aa3456d95a857449f2 ext_sharedWith=[] ext_sha256Checksum=44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12160 ext_insertionTimestamp=2021-09-16T22:51:22.314900Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.748Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.137Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314900Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-rtlsupport-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12160,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5bbca69ebadff5aa3456d95a857449f2\",\"sha256Checksum\":\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\",\"createTimestamp\":\"2021-09-08T09:32:11.748Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.749Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5bae4ed0-ed1b-5e79-9ed0-91754da9aa59", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.137Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-rtlsupport-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.749Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751", "2021-09-16T22:52:32.756Z", 12160, "code42-exfil-share-datatype", "5bbca69ebadff5aa3456d95a857449f2", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.137Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.748Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3764815d-d2f5-579a-be20-2c6282346cd1", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.336Z 804e3b095828 Skyformation - 6096184265000961437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507336 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.HxAccounts.dll fsize=2942464 msg=Resource [Resource: file :: Office.UI.Xaml.HxAccounts.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.336Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.HxAccounts.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.642Z ext_md5Checksum=bae190aeab7c357c1ea766ab9254857c ext_sharedWith=[] ext_sha256Checksum=801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2942464 ext_insertionTimestamp=2021-09-16T22:51:15.337484Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.336Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337484Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.HxAccounts.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2942464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bae190aeab7c357c1ea766ab9254857c\",\"sha256Checksum\":\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.642Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f297a60-2a09-5bd3-9ef1-18510e5792a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.336Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Office.UI.Xaml.HxAccounts.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.642Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c", "2021-09-16T22:52:32.758Z", 2942464, "code42-exfil-share-datatype", "bae190aeab7c357c1ea766ab9254857c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.336Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f7c7271c-b02f-55d5-8324-6347f8c2ef43", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6bbdcb3d-de81-5fa0-9ce8-8196cab49f6d", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c5651815-9eb9-5ee5-b593-f145187c5f2b", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb002c03-bff8-50b9-ab6c-38e051f8eaac", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36abdf49-657a-59e8-9c6b-bc66f117a563", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.200Z 804e3b095828 Skyformation - 7793293095645548560 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501200 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=25088 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.200Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.082Z ext_md5Checksum=fa2e5b66e169df3e80f8eed33a789fbc ext_sharedWith=[] ext_sha256Checksum=9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=25088 ext_insertionTimestamp=2021-09-16T22:51:15.336201Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.622Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.200Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336201Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":25088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fa2e5b66e169df3e80f8eed33a789fbc\",\"sha256Checksum\":\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\",\"createTimestamp\":\"2021-09-09T09:44:28.622Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e29fa47e-bf50-58cf-9339-6c430ab38a62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.200Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950", "2021-09-16T22:52:32.757Z", 25088, "code42-exfil-share-datatype", "fa2e5b66e169df3e80f8eed33a789fbc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.200Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.622Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e14fb3f3-aefb-52b4-b546-f90b3b7fd5d2", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ee91bb4e-5f06-55c9-a35c-5b16e355d85e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a9032f0e-b114-516c-83c5-fcd804f2e56f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-69abadfe-25fd-5e4f-a407-b3da485bbc62", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-24d9af69-669e-5391-ae0b-c18dc61ef987", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25fd1982-75f3-5e52-902d-b527a9cd6267", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5ee0bfc1-0b98-5a2f-bd7a-e2956ae8bd8c", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-865b0547-28b5-5628-81aa-fd2365d64178", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.153Z 804e3b095828 Skyformation - 7743569861848583628 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-timezone-l1-1-0.dll fsize=12152 msg=Resource [Resource: file :: api-ms-win-core-timezone-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-timezone-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.779Z ext_md5Checksum=1036215228ab84a9089baf43196b5347 ext_sharedWith=[] ext_sha256Checksum=5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12152 ext_insertionTimestamp=2021-09-16T22:51:22.314959Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.778Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314959Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-timezone-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12152,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"1036215228ab84a9089baf43196b5347\",\"sha256Checksum\":\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\",\"createTimestamp\":\"2021-09-08T09:32:11.778Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.779Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-061845c2-9952-5d67-8de4-bc1db5becde4", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-timezone-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.779Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1", "2021-09-16T22:52:32.755Z", 12152, "code42-exfil-share-datatype", "1036215228ab84a9089baf43196b5347", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.778Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.212Z 804e3b095828 Skyformation - 5968313916744927868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500212 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationCore.resources.dll fsize=108400 msg=Resource [Resource: file :: PresentationCore.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.212Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationCore.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.722Z ext_md5Checksum=5d4f96b6a42c28702870a533a7617bd5 ext_sharedWith=[] ext_sha256Checksum=30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=108400 ext_insertionTimestamp=2021-09-16T22:51:15.335548Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.346Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.212Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335548Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"PresentationCore.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":108400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5d4f96b6a42c28702870a533a7617bd5\",\"sha256Checksum\":\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\",\"createTimestamp\":\"2021-08-18T09:55:42.346Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.722Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b903a5a3-b012-5096-a170-05bc5a2946ba", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.212Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationCore.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.722Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7", "2021-09-16T22:52:32.757Z", 108400, "code42-exfil-share-datatype", "5d4f96b6a42c28702870a533a7617bd5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.212Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.346Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb7e3801-f619-540e-a8f4-05fc9da73c0c", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-34f54f93-f2dd-59f3-a154-10f1707d627b", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cd2b8fc-f731-57c1-86f5-fed67f0957a8", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f31e2487-c55b-515f-b8fc-e0a53f0ef25d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91f9087e-ab21-5688-acba-fb1eb85ba5b8", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-428b7375-7e1c-5850-8200-06507b5b34a0", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19161eab-42bb-5946-8a45-838595016d88", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fedbe573-b72a-5077-ba5e-941b4ee49a84", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-38500b3c-d09a-5933-9f12-8ce1bcf80dc7", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea331943-231d-59ae-b045-bf2899370e95", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-89f62135-5d10-5c8b-b5fa-817a2c27a8aa", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dc47da6-f678-5f91-974b-61b966157a34", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-136baa2d-5aea-5b0a-9418-0a52aa609308", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.076Z 804e3b095828 Skyformation - 147196130964191603 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501076 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.076Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.014Z ext_md5Checksum=081d17a68c2295a810e0b139bfa4e114 ext_sharedWith=[] ext_sha256Checksum=99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335934Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.605Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.076Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335934Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"081d17a68c2295a810e0b139bfa4e114\",\"sha256Checksum\":\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\",\"createTimestamp\":\"2021-09-09T09:44:28.605Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.014Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44b73b40-4221-578b-9eae-d3810396510a", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.076Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.014Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038", "2021-09-16T22:52:32.756Z", 20992, "code42-exfil-share-datatype", "081d17a68c2295a810e0b139bfa4e114", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.076Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.605Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a2446362-b761-59ca-b266-481be937f20d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4705bfeb-5768-5df8-b473-f0f8d7e7e6fa", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5083602b-a06b-5d24-af8f-2bfe63c17e91", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.204Z 804e3b095828 Skyformation - 6039121869236992200 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.dll fsize=8971112 msg=Resource [Resource: file :: Microsoft.SharePoint.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.091Z ext_md5Checksum=aa47b460aedf810bc504ff9cea7b4b71 ext_sharedWith=[] ext_sha256Checksum=c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8971112 ext_insertionTimestamp=2021-09-16T22:51:22.314366Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.994Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314366Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8971112,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"aa47b460aedf810bc504ff9cea7b4b71\",\"sha256Checksum\":\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\",\"createTimestamp\":\"2021-09-08T09:32:13.994Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.091Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2501b6d-6041-5a59-b80b-711a0c3b8cd0", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.091Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268", "2021-09-16T22:52:32.758Z", 8971112, "code42-exfil-share-datatype", "aa47b460aedf810bc504ff9cea7b4b71", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.994Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ddd7dd6e-c60a-5d7c-a1c3-0df72e003f42", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5fc598ee-3323-5bd8-b51e-6aa2487ff75f", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1817976c-22c7-5ba2-a2ec-9f106a5188a4", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7b553448-cac0-598c-9207-98392e4a6815", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-821e586f-78f1-5c4b-a330-7c3a4a90e160", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-326df068-94c9-5e34-81e0-c9ea9531369e", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-098fcb07-3723-5a0e-8225-82803059eaf5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.245Z 804e3b095828 Skyformation - 9011587025266222990 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500245 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xaml.resources.dll fsize=64400 msg=Resource [Resource: file :: System.Xaml.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.245Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Xaml.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.879Z ext_md5Checksum=79f7a9435ff548517a7219880789cca3 ext_sharedWith=[] ext_sha256Checksum=030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=64400 ext_insertionTimestamp=2021-09-16T22:51:15.335626Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.245Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335626Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Xaml.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":64400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"79f7a9435ff548517a7219880789cca3\",\"sha256Checksum\":\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-21427167-a3b0-5f52-8702-af47599ee1bb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.245Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xaml.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683", "2021-09-16T22:52:32.758Z", 64400, "code42-exfil-share-datatype", "79f7a9435ff548517a7219880789cca3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.245Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df11e4bd-5223-5ba3-998c-63e5b6a7404f", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fc99d0b-10ae-5866-bcf6-596487b75f28", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.125Z 804e3b095828 Skyformation - 6459940454527848135 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501125 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=37264 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.125Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=0d48b65e82aff3b5d117729868cf0319 ext_sharedWith=[] ext_sha256Checksum=1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37264 ext_insertionTimestamp=2021-09-16T22:51:15.336060Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.125Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336060Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37264,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0d48b65e82aff3b5d117729868cf0319\",\"sha256Checksum\":\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-68df9315-560d-5c70-8845-a14a097e8135", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.125Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d", "2021-09-16T22:52:32.757Z", 37264, "code42-exfil-share-datatype", "0d48b65e82aff3b5d117729868cf0319", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.125Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c63c47b6-7c5e-566e-aa43-5f12c76a8510", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.303Z 804e3b095828 Skyformation - 808043852961842895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=256912 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.082Z ext_md5Checksum=dc8ca3ec6a99318b649dc686002e72d4 ext_sharedWith=[] ext_sha256Checksum=75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=256912 ext_insertionTimestamp=2021-09-16T22:51:15.335757Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335757Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":256912,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc8ca3ec6a99318b649dc686002e72d4\",\"sha256Checksum\":\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-affd0ffb-ec18-572a-a4fd-d077df9f8e38", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c", "2021-09-16T22:52:32.757Z", 256912, "code42-exfil-share-datatype", "dc8ca3ec6a99318b649dc686002e72d4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d401e9a-2cb1-5def-a24d-24a9b8b5ac8b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-59a10cc7-a14c-5876-9451-e86731e2b5a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb64de71-ae43-53b8-99b8-1d60d6a1fce9", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-51e040bc-c210-5e54-ab78-5a8a0241c9ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.139Z 804e3b095828 Skyformation - 675604398557112437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502139 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Common.dll fsize=37240 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Common.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.139Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Common.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=405c72ee27026791aae1d61e63941509 ext_sharedWith=[] ext_sha256Checksum=838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37240 ext_insertionTimestamp=2021-09-16T22:51:15.336712Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.139Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336712Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Common.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"405c72ee27026791aae1d61e63941509\",\"sha256Checksum\":\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f86a975c-9f26-5e51-802f-84c2af9a6932", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.139Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Common.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a", "2021-09-16T22:52:32.756Z", 37240, "code42-exfil-share-datatype", "405c72ee27026791aae1d61e63941509", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.139Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6952810f-046c-5949-8e5d-34f48532431a", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.229Z 804e3b095828 Skyformation - 7367432510121182400 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520229 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Core.dll fsize=5929344 msg=Resource [Resource: file :: Qt5Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.229Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.180Z ext_md5Checksum=0629615fa66f3c3d4f16741c7fc04807 ext_sharedWith=[] ext_sha256Checksum=5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5929344 ext_insertionTimestamp=2021-09-16T22:51:22.314447Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.121Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.229Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314447Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5929344,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"0629615fa66f3c3d4f16741c7fc04807\",\"sha256Checksum\":\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\",\"createTimestamp\":\"2021-09-08T09:32:15.121Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.180Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66babe0b-6e97-52f2-964c-23812722ada2", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.229Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.180Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5", "2021-09-16T22:52:32.756Z", 5929344, "code42-exfil-share-datatype", "0629615fa66f3c3d4f16741c7fc04807", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.229Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.121Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.124Z 804e3b095828 Skyformation - 4266986604087729995 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500124 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.124Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.960Z ext_md5Checksum=303d4e1e6736b01a0e0d418c543c1346 ext_sharedWith=[] ext_sha256Checksum=4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335373Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.124Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335373Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"303d4e1e6736b01a0e0d418c543c1346\",\"sha256Checksum\":\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\",\"createTimestamp\":\"2021-09-09T09:44:28.591Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.960Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3f6c10e2-6344-52d5-8291-7e3610ff01c3", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.124Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.960Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "303d4e1e6736b01a0e0d418c543c1346", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.124Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfa102a1-c14f-54fa-a264-167f1cca11d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.279Z 804e3b095828 Skyformation - 1930420880376628781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507279 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.Ipc.Proxies.dll fsize=15872 msg=Resource [Resource: file :: HxComm.Ipc.Proxies.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.279Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.Ipc.Proxies.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.074Z ext_md5Checksum=cf6b921615692c64ac828dd7a37dd753 ext_sharedWith=[] ext_sha256Checksum=a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15872 ext_insertionTimestamp=2021-09-16T22:51:15.337336Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.279Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337336Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.Ipc.Proxies.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"cf6b921615692c64ac828dd7a37dd753\",\"sha256Checksum\":\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.074Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7581d2d-5489-5d5e-90a1-c3053d0c9faf", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.279Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.Ipc.Proxies.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.074Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1", "2021-09-16T22:52:32.758Z", 15872, "code42-exfil-share-datatype", "cf6b921615692c64ac828dd7a37dd753", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.279Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-017b269d-f20a-556e-98ca-8882048439ca", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7eaa3a3c-8d7d-5542-ba3c-9a16e57c793b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe8ae781-02a0-5307-abd5-6384db4d2597", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5da6e225-f60e-5faa-9c7e-9550e0df63ac", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.303Z 804e3b095828 Skyformation - 2504656101616966541 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WebView2Loader.dll fsize=136576 msg=Resource [Resource: file :: WebView2Loader.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WebView2Loader.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.620Z ext_md5Checksum=82c2b3a8e75ab4fc6cc1360ea2c663e3 ext_sharedWith=[] ext_sha256Checksum=d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=136576 ext_insertionTimestamp=2021-09-16T22:51:22.314656Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314656Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"WebView2Loader.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":136576,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82c2b3a8e75ab4fc6cc1360ea2c663e3\",\"sha256Checksum\":\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\",\"createTimestamp\":\"2021-09-08T09:32:16.618Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.620Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02622f5a-4fce-56fe-901b-863245b815d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WebView2Loader.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.620Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a", "2021-09-16T22:52:32.755Z", 136576, "code42-exfil-share-datatype", "82c2b3a8e75ab4fc6cc1360ea2c663e3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfab61df-0096-5423-8a0c-b2c4dc5b8b98", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-37290152-c41e-56db-908e-bd32da2df133", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-536ae9c9-aa2b-556e-92fa-d090d49269b6", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.098Z 804e3b095828 Skyformation - 7444223728288167550 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508098 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointl30_winrt.dll fsize=86384 msg=Resource [Resource: file :: msointl30_winrt.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.098Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointl30_winrt.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.683Z ext_md5Checksum=18ad415ef30924748d83afeeee4d9cb0 ext_sharedWith=[] ext_sha256Checksum=e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=86384 ext_insertionTimestamp=2021-09-16T22:51:15.337616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.098Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointl30_winrt.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":86384,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18ad415ef30924748d83afeeee4d9cb0\",\"sha256Checksum\":\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.683Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e4dc97b-2030-545d-a650-c48fd51597ec", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.098Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointl30_winrt.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.683Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd", "2021-09-16T22:52:32.758Z", 86384, "code42-exfil-share-datatype", "18ad415ef30924748d83afeeee4d9cb0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.098Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44a1a814-a037-5649-ace1-3f3276228e78", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b44195a-efec-59e6-90b2-a72c680eb96b", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.325Z 804e3b095828 Skyformation - 5312164448627929884 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499325 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=3584 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.325Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.728Z ext_md5Checksum=c62d73c8ea0d55db08cceec7afc7e3cc ext_sharedWith=[] ext_sha256Checksum=2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3584 ext_insertionTimestamp=2021-09-16T22:51:15.335208Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.577Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.325Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335208Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3584,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c62d73c8ea0d55db08cceec7afc7e3cc\",\"sha256Checksum\":\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\",\"createTimestamp\":\"2021-09-09T09:44:28.577Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.728Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cf841002-dfb0-5c90-9fb1-281afd8d004d", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.325Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.728Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd", "2021-09-16T22:52:32.756Z", 3584, "code42-exfil-share-datatype", "c62d73c8ea0d55db08cceec7afc7e3cc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.325Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.577Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d03cc6e3-0d73-5ec3-902a-28c04f19e570", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.175Z 804e3b095828 Skyformation - 937782685410137034 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511175 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=saext.dll fsize=559480 msg=Resource [Resource: file :: saext.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.175Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=saext.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.174Z ext_md5Checksum=4a0f85409681a359adbbda4104daa7fb ext_sharedWith=[] ext_sha256Checksum=046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=559480 ext_insertionTimestamp=2021-09-16T22:51:15.337820Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.175Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"saext.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":559480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a0f85409681a359adbbda4104daa7fb\",\"sha256Checksum\":\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.174Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2113c1b0-3556-58e7-a54a-1004516f2597", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.175Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "saext.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.174Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9", "2021-09-16T22:52:32.758Z", 559480, "code42-exfil-share-datatype", "4a0f85409681a359adbbda4104daa7fb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.175Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-534dea1b-0dc4-5ca4-8133-5b7d820baf25", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fdc9d09f-3af0-54ae-a39c-63221dc894ec", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d693bd9e-8d43-50df-a4ca-e6e50cf7b354", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3dc7244c-e1bd-5b60-bdb4-2cb874a6fd43", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0fff593c-89eb-5aa2-84bb-cb724b886696", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a19de0e9-b0a6-5af1-b5fd-d33b5ca62e22", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-48da0a98-8bf3-5368-898a-38df3042e727", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3b61846d-7e29-5db8-b9ac-8f09a942b29c", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e24a545-12b5-5f9d-b26a-bb7e332d690d", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7a401f3c-d0bf-5d2f-a8fd-832c43bf3a28", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dfd09b1-1bb7-5ed5-8f2d-610478d2f8fa", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.350Z 804e3b095828 Skyformation - 8180994352798970218 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncConfig.exe fsize=635768 msg=Resource [Resource: file :: FileSyncConfig.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncConfig.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.389Z ext_md5Checksum=23843c09217f08eef3def81b6e92e645 ext_sharedWith=[] ext_sha256Checksum=282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=635768 ext_insertionTimestamp=2021-09-16T22:51:15.337907Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.374Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337907Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncConfig.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":635768,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"23843c09217f08eef3def81b6e92e645\",\"sha256Checksum\":\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\",\"createTimestamp\":\"2021-09-08T09:32:12.374Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.389Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d415923a-bee3-570e-b61e-3d5b35de5969", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncConfig.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.389Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99", "2021-09-16T22:52:32.756Z", 635768, "code42-exfil-share-datatype", "23843c09217f08eef3def81b6e92e645", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.374Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.300Z 804e3b095828 Skyformation - 5713470709720643753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520300 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UpdateRingSettings.dll fsize=500600 msg=Resource [Resource: file :: UpdateRingSettings.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.300Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UpdateRingSettings.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.589Z ext_md5Checksum=8670927c143a1e54c0e7d9e7a56159b1 ext_sharedWith=[] ext_sha256Checksum=83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=500600 ext_insertionTimestamp=2021-09-16T22:51:22.314645Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.300Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314645Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"UpdateRingSettings.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":500600,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"8670927c143a1e54c0e7d9e7a56159b1\",\"sha256Checksum\":\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\",\"createTimestamp\":\"2021-09-08T09:32:16.583Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.589Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16d48bab-8124-5e36-b3e0-42349bf00cc4", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.300Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UpdateRingSettings.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.589Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0", "2021-09-16T22:52:32.756Z", 500600, "code42-exfil-share-datatype", "8670927c143a1e54c0e7d9e7a56159b1", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.300Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe18df90-42e5-5d27-991a-1674d0d8c19a", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.196Z 804e3b095828 Skyformation - 5829787252207277270 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499196 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.196Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.222Z ext_md5Checksum=0e8e10650f39cb0b09ba8c47f840530f ext_sharedWith=[] ext_sha256Checksum=f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.334964Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.196Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334964Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0e8e10650f39cb0b09ba8c47f840530f\",\"sha256Checksum\":\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.222Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-279e346e-a172-5393-bce2-3384bb0b5eff", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.196Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.222Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9", "2021-09-16T22:52:32.755Z", 14224, "code42-exfil-share-datatype", "0e8e10650f39cb0b09ba8c47f840530f", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.196Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d50e681f-cbb7-5757-b591-ef459f2fee04", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e9e5d067-489a-514d-9f2a-08e47f979775", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.292Z 804e3b095828 Skyformation - 7352347330459896280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Telemetry.dll fsize=528248 msg=Resource [Resource: file :: Telemetry.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Telemetry.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.528Z ext_md5Checksum=eb3af15f534b067d98dac6a346728096 ext_sharedWith=[] ext_sha256Checksum=51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=528248 ext_insertionTimestamp=2021-09-16T22:51:22.314633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.519Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Telemetry.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":528248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"eb3af15f534b067d98dac6a346728096\",\"sha256Checksum\":\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\",\"createTimestamp\":\"2021-09-08T09:32:16.519Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.528Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2ab229de-8984-5eac-9af7-ee322bfd976e", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Telemetry.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.528Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae", "2021-09-16T22:52:32.758Z", 528248, "code42-exfil-share-datatype", "eb3af15f534b067d98dac6a346728096", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.519Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b66f85d-68f8-5d9c-9c2a-b64a13f332bc", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d912d326-0b65-5278-97f3-daacc2394c00", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12314f44-1778-5595-ad19-9d3d7cfc50fe", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2c21877d-e685-5034-ab53-29f1b1a2b738", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ae30f7b4-650d-56a3-990a-333256499e3b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "191784ee-59ba-492b-97db-c26301c0b926", "observable": {"key": "322a628a-ad99-4707-8997-7260985f4c11", "value": "darnellw-official-win10.qa.code42.com", "indicators": [], "type": "domain", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "verdict", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "disposition_name": "Unknown", "id": "verdict:Talos Intelligence:f0bd0871", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "judgement_id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156"}], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f0bd0871", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "domain", "value": "darnellw-official-win10.qa.code42.com"}, "type": "warning", "action_id": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "darnellw-official-win10.qa.code42.com", "id": "f0bd0871", "judgements": [{"valid_time": {"start_time": "2021-09-17T09:49:18.897Z", "end_time": "2021-10-17T09:49:18.897Z"}, "schema_version": "1.1.3", "observable": {"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}, "type": "judgement", "source": "Talos Intelligence", "disposition": 5, "module": "Talos Intelligence", "module-type": null, "reason": "Neutral Talos Intelligence reputation score", "source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=darnellw-official-win10.qa.code42.com", "disposition_name": "Unknown", "priority": 90, "id": "transient:28af69b3-ee79-4e72-9c4c-22ddc1dad156", "severity": "Low", "tlp": "white", "action": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "ctr_uuid": "128d81cd-78f2-4744-98b6-d19900625aa0", "confidence": "High", "ctr_dispositionOrder": 4, "ctr_hide": false}], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.246Z 804e3b095828 Skyformation - 750953637013587902 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.725Z ext_md5Checksum=4fa0501c386184a3d8b599ab5bfdd7c2 ext_sharedWith=[] ext_sha256Checksum=72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335055Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.576Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_249\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335055Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4fa0501c386184a3d8b599ab5bfdd7c2\",\"sha256Checksum\":\"72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979\",\"createTimestamp\":\"2021-09-09T09:44:28.576Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.725Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d0d89806-4329-54f1-92f8-0085c4d17855", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.725Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "72ab5d9ea978293c981f4cb65e492ec3c7db9bea5764f23d79f6512e1a2fc979", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "4fa0501c386184a3d8b599ab5bfdd7c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko-KR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.576Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8a5e3684-e7b1-5b9f-a209-d7869b01aeb5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edff67a4-85b1-54b8-8379-dbf469aa9a5d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.137Z 804e3b095828 Skyformation - 392809219994308060 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521137 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-rtlsupport-l1-1-0.dll fsize=12160 msg=Resource [Resource: file :: api-ms-win-core-rtlsupport-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.137Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-rtlsupport-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.749Z ext_md5Checksum=5bbca69ebadff5aa3456d95a857449f2 ext_sharedWith=[] ext_sha256Checksum=44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12160 ext_insertionTimestamp=2021-09-16T22:51:22.314900Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.748Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_87\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.137Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314900Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-rtlsupport-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12160,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5bbca69ebadff5aa3456d95a857449f2\",\"sha256Checksum\":\"44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751\",\"createTimestamp\":\"2021-09-08T09:32:11.748Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.749Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5bae4ed0-ed1b-5e79-9ed0-91754da9aa59", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.137Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-rtlsupport-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.749Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "44334d59a79e9cbca624ac458a20438d8909922bcc73e91dc0d0451f70b55751", "2021-09-16T22:52:32.756Z", 12160, "code42-exfil-share-datatype", "5bbca69ebadff5aa3456d95a857449f2", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.137Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.748Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3764815d-d2f5-579a-be20-2c6282346cd1", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.336Z 804e3b095828 Skyformation - 6096184265000961437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507336 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.HxAccounts.dll fsize=2942464 msg=Resource [Resource: file :: Office.UI.Xaml.HxAccounts.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.336Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.HxAccounts.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.642Z ext_md5Checksum=bae190aeab7c357c1ea766ab9254857c ext_sharedWith=[] ext_sha256Checksum=801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2942464 ext_insertionTimestamp=2021-09-16T22:51:15.337484Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_540\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.336Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337484Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.HxAccounts.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2942464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bae190aeab7c357c1ea766ab9254857c\",\"sha256Checksum\":\"801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.642Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f297a60-2a09-5bd3-9ef1-18510e5792a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.336Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Office.UI.Xaml.HxAccounts.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.642Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "801b3ef8a3f57af57fe6f194c1a4c06fcf2113c5d6f7dcf837b2db49a1a80c2c", "2021-09-16T22:52:32.758Z", 2942464, "code42-exfil-share-datatype", "bae190aeab7c357c1ea766ab9254857c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.336Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f7c7271c-b02f-55d5-8324-6347f8c2ef43", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6bbdcb3d-de81-5fa0-9ce8-8196cab49f6d", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c5651815-9eb9-5ee5-b593-f145187c5f2b", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb002c03-bff8-50b9-ab6c-38e051f8eaac", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36abdf49-657a-59e8-9c6b-bc66f117a563", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.200Z 804e3b095828 Skyformation - 7793293095645548560 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501200 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=25088 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.200Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.082Z ext_md5Checksum=fa2e5b66e169df3e80f8eed33a789fbc ext_sharedWith=[] ext_sha256Checksum=9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=25088 ext_insertionTimestamp=2021-09-16T22:51:15.336201Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.622Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_376\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.200Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336201Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":25088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fa2e5b66e169df3e80f8eed33a789fbc\",\"sha256Checksum\":\"9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950\",\"createTimestamp\":\"2021-09-09T09:44:28.622Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e29fa47e-bf50-58cf-9339-6c430ab38a62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.200Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9712853ac1087f1201f11e3ec01bcc1819543256b0de84bcff5501efbac88950", "2021-09-16T22:52:32.757Z", 25088, "code42-exfil-share-datatype", "fa2e5b66e169df3e80f8eed33a789fbc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ur-PK/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.200Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.622Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e14fb3f3-aefb-52b4-b546-f90b3b7fd5d2", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ee91bb4e-5f06-55c9-a35c-5b16e355d85e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a9032f0e-b114-516c-83c5-fcd804f2e56f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-69abadfe-25fd-5e4f-a407-b3da485bbc62", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-24d9af69-669e-5391-ae0b-c18dc61ef987", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25fd1982-75f3-5e52-902d-b527a9cd6267", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5ee0bfc1-0b98-5a2f-bd7a-e2956ae8bd8c", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-865b0547-28b5-5628-81aa-fd2365d64178", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.153Z 804e3b095828 Skyformation - 7743569861848583628 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-timezone-l1-1-0.dll fsize=12152 msg=Resource [Resource: file :: api-ms-win-core-timezone-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-timezone-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.779Z ext_md5Checksum=1036215228ab84a9089baf43196b5347 ext_sharedWith=[] ext_sha256Checksum=5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12152 ext_insertionTimestamp=2021-09-16T22:51:22.314959Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.778Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_92\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314959Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-timezone-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12152,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"1036215228ab84a9089baf43196b5347\",\"sha256Checksum\":\"5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1\",\"createTimestamp\":\"2021-09-08T09:32:11.778Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.779Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-061845c2-9952-5d67-8de4-bc1db5becde4", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-timezone-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.779Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5397ad6242ae82dd3eb9cf0afa26185b2707e6134ae81ba6df7c02c1231f80c1", "2021-09-16T22:52:32.755Z", 12152, "code42-exfil-share-datatype", "1036215228ab84a9089baf43196b5347", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.778Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.212Z 804e3b095828 Skyformation - 5968313916744927868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500212 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationCore.resources.dll fsize=108400 msg=Resource [Resource: file :: PresentationCore.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.212Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationCore.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.722Z ext_md5Checksum=5d4f96b6a42c28702870a533a7617bd5 ext_sharedWith=[] ext_sha256Checksum=30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=108400 ext_insertionTimestamp=2021-09-16T22:51:15.335548Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.346Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_305\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.212Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335548Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"PresentationCore.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":108400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5d4f96b6a42c28702870a533a7617bd5\",\"sha256Checksum\":\"30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7\",\"createTimestamp\":\"2021-08-18T09:55:42.346Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.722Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b903a5a3-b012-5096-a170-05bc5a2946ba", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.212Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationCore.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.722Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30119606a63a6231366f694d34afd3d5867babdbcc7d21e47b8381fe3de4b1a7", "2021-09-16T22:52:32.757Z", 108400, "code42-exfil-share-datatype", "5d4f96b6a42c28702870a533a7617bd5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.212Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.346Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb7e3801-f619-540e-a8f4-05fc9da73c0c", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-34f54f93-f2dd-59f3-a154-10f1707d627b", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cd2b8fc-f731-57c1-86f5-fed67f0957a8", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f31e2487-c55b-515f-b8fc-e0a53f0ef25d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91f9087e-ab21-5688-acba-fb1eb85ba5b8", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-428b7375-7e1c-5850-8200-06507b5b34a0", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19161eab-42bb-5946-8a45-838595016d88", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fedbe573-b72a-5077-ba5e-941b4ee49a84", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-38500b3c-d09a-5933-9f12-8ce1bcf80dc7", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea331943-231d-59ae-b045-bf2899370e95", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-89f62135-5d10-5c8b-b5fa-817a2c27a8aa", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dc47da6-f678-5f91-974b-61b966157a34", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-136baa2d-5aea-5b0a-9418-0a52aa609308", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.076Z 804e3b095828 Skyformation - 147196130964191603 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501076 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.076Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.014Z ext_md5Checksum=081d17a68c2295a810e0b139bfa4e114 ext_sharedWith=[] ext_sha256Checksum=99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335934Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.605Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_346\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.076Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335934Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"081d17a68c2295a810e0b139bfa4e114\",\"sha256Checksum\":\"99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038\",\"createTimestamp\":\"2021-09-09T09:44:28.605Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.014Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44b73b40-4221-578b-9eae-d3810396510a", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.076Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.014Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "99bb529e4065dd76e498e378a16bf9f742dab06668bf5b6a8302acda14b00038", "2021-09-16T22:52:32.756Z", 20992, "code42-exfil-share-datatype", "081d17a68c2295a810e0b139bfa4e114", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/sl-SI/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.076Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.605Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a2446362-b761-59ca-b266-481be937f20d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4705bfeb-5768-5df8-b473-f0f8d7e7e6fa", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5083602b-a06b-5d24-af8f-2bfe63c17e91", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.204Z 804e3b095828 Skyformation - 6039121869236992200 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.dll fsize=8971112 msg=Resource [Resource: file :: Microsoft.SharePoint.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.091Z ext_md5Checksum=aa47b460aedf810bc504ff9cea7b4b71 ext_sharedWith=[] ext_sha256Checksum=c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8971112 ext_insertionTimestamp=2021-09-16T22:51:22.314366Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.994Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_12\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314366Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8971112,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"aa47b460aedf810bc504ff9cea7b4b71\",\"sha256Checksum\":\"c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268\",\"createTimestamp\":\"2021-09-08T09:32:13.994Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.091Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2501b6d-6041-5a59-b80b-711a0c3b8cd0", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.204Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.091Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c3146a49fdad8a6dc40359eac2134720626dfbc3a7424721b027b23e686c1268", "2021-09-16T22:52:32.758Z", 8971112, "code42-exfil-share-datatype", "aa47b460aedf810bc504ff9cea7b4b71", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.994Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ddd7dd6e-c60a-5d7c-a1c3-0df72e003f42", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5fc598ee-3323-5bd8-b51e-6aa2487ff75f", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1817976c-22c7-5ba2-a2ec-9f106a5188a4", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7b553448-cac0-598c-9207-98392e4a6815", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-821e586f-78f1-5c4b-a330-7c3a4a90e160", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-326df068-94c9-5e34-81e0-c9ea9531369e", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-098fcb07-3723-5a0e-8225-82803059eaf5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.245Z 804e3b095828 Skyformation - 9011587025266222990 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500245 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xaml.resources.dll fsize=64400 msg=Resource [Resource: file :: System.Xaml.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.245Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Xaml.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.879Z ext_md5Checksum=79f7a9435ff548517a7219880789cca3 ext_sharedWith=[] ext_sha256Checksum=030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=64400 ext_insertionTimestamp=2021-09-16T22:51:15.335626Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_314\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.245Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335626Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Xaml.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":64400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"79f7a9435ff548517a7219880789cca3\",\"sha256Checksum\":\"030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-21427167-a3b0-5f52-8702-af47599ee1bb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.245Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xaml.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "030cebbbf9fe1b850dffebbc54bbfbf896beb6f9934970f4298159abe0a8f683", "2021-09-16T22:52:32.758Z", 64400, "code42-exfil-share-datatype", "79f7a9435ff548517a7219880789cca3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.245Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df11e4bd-5223-5ba3-998c-63e5b6a7404f", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fc99d0b-10ae-5866-bcf6-596487b75f28", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.125Z 804e3b095828 Skyformation - 6459940454527848135 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501125 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=37264 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.125Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=0d48b65e82aff3b5d117729868cf0319 ext_sharedWith=[] ext_sha256Checksum=1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37264 ext_insertionTimestamp=2021-09-16T22:51:15.336060Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_360\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.125Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336060Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37264,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0d48b65e82aff3b5d117729868cf0319\",\"sha256Checksum\":\"1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-68df9315-560d-5c70-8845-a14a097e8135", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.125Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b28f91c8999e6cf1beff575eabdd184ab5275030b5c505b1d07929863c7021d", "2021-09-16T22:52:32.757Z", 37264, "code42-exfil-share-datatype", "0d48b65e82aff3b5d117729868cf0319", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.125Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c63c47b6-7c5e-566e-aa43-5f12c76a8510", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.303Z 804e3b095828 Skyformation - 808043852961842895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=256912 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.082Z ext_md5Checksum=dc8ca3ec6a99318b649dc686002e72d4 ext_sharedWith=[] ext_sha256Checksum=75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=256912 ext_insertionTimestamp=2021-09-16T22:51:15.335757Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_329\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335757Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":256912,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc8ca3ec6a99318b649dc686002e72d4\",\"sha256Checksum\":\"75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.082Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-affd0ffb-ec18-572a-a4fd-d077df9f8e38", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.082Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "75c6b9ed769906d4a3c9d926e1a5fadd482c162cf17bb3e72e8a727e09b1180c", "2021-09-16T22:52:32.757Z", 256912, "code42-exfil-share-datatype", "dc8ca3ec6a99318b649dc686002e72d4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d401e9a-2cb1-5def-a24d-24a9b8b5ac8b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-59a10cc7-a14c-5876-9451-e86731e2b5a1", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb64de71-ae43-53b8-99b8-1d60d6a1fce9", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-51e040bc-c210-5e54-ab78-5a8a0241c9ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.139Z 804e3b095828 Skyformation - 675604398557112437 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502139 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Common.dll fsize=37240 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Common.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.139Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Common.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=405c72ee27026791aae1d61e63941509 ext_sharedWith=[] ext_sha256Checksum=838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=37240 ext_insertionTimestamp=2021-09-16T22:51:15.336712Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_435\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.139Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336712Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Common.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":37240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"405c72ee27026791aae1d61e63941509\",\"sha256Checksum\":\"838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f86a975c-9f26-5e51-802f-84c2af9a6932", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.139Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Common.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "838b9a96a277680c5ddcacb50e74f590f913a2f0e30c5dd19793e4f74744fa8a", "2021-09-16T22:52:32.756Z", 37240, "code42-exfil-share-datatype", "405c72ee27026791aae1d61e63941509", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.139Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6952810f-046c-5949-8e5d-34f48532431a", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.229Z 804e3b095828 Skyformation - 7367432510121182400 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520229 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Core.dll fsize=5929344 msg=Resource [Resource: file :: Qt5Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.229Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.180Z ext_md5Checksum=0629615fa66f3c3d4f16741c7fc04807 ext_sharedWith=[] ext_sha256Checksum=5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5929344 ext_insertionTimestamp=2021-09-16T22:51:22.314447Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.121Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_21\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.229Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314447Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5929344,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"0629615fa66f3c3d4f16741c7fc04807\",\"sha256Checksum\":\"5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5\",\"createTimestamp\":\"2021-09-08T09:32:15.121Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.180Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66babe0b-6e97-52f2-964c-23812722ada2", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.229Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.180Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5a43601172a2dcc08a403a4bb3850e23513fc7d94d45c01495354d0b869331a5", "2021-09-16T22:52:32.756Z", 5929344, "code42-exfil-share-datatype", "0629615fa66f3c3d4f16741c7fc04807", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.229Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.121Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.124Z 804e3b095828 Skyformation - 4266986604087729995 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500124 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=20992 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.124Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.960Z ext_md5Checksum=303d4e1e6736b01a0e0d418c543c1346 ext_sharedWith=[] ext_sha256Checksum=4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20992 ext_insertionTimestamp=2021-09-16T22:51:15.335373Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_285\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.124Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335373Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20992,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"303d4e1e6736b01a0e0d418c543c1346\",\"sha256Checksum\":\"4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6\",\"createTimestamp\":\"2021-09-09T09:44:28.591Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.960Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3f6c10e2-6344-52d5-8291-7e3610ff01c3", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.124Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.960Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b0b3eb666a8098a93b38d8ffcd1926760edb8c52bc7d0863ce580024e00bea6", "2021-09-16T22:52:32.757Z", 20992, "code42-exfil-share-datatype", "303d4e1e6736b01a0e0d418c543c1346", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nl-NL/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.124Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfa102a1-c14f-54fa-a264-167f1cca11d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.279Z 804e3b095828 Skyformation - 1930420880376628781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507279 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.Ipc.Proxies.dll fsize=15872 msg=Resource [Resource: file :: HxComm.Ipc.Proxies.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.279Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.Ipc.Proxies.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.074Z ext_md5Checksum=cf6b921615692c64ac828dd7a37dd753 ext_sharedWith=[] ext_sha256Checksum=a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15872 ext_insertionTimestamp=2021-09-16T22:51:15.337336Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_523\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.279Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337336Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.Ipc.Proxies.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"cf6b921615692c64ac828dd7a37dd753\",\"sha256Checksum\":\"a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.074Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7581d2d-5489-5d5e-90a1-c3053d0c9faf", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.279Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.Ipc.Proxies.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.074Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a2d3e7e78226887ebe0a773b8649ea9a6cc2740138f4daec3a6a6dbb44708aa1", "2021-09-16T22:52:32.758Z", 15872, "code42-exfil-share-datatype", "cf6b921615692c64ac828dd7a37dd753", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.279Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-017b269d-f20a-556e-98ca-8882048439ca", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7eaa3a3c-8d7d-5542-ba3c-9a16e57c793b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe8ae781-02a0-5307-abd5-6384db4d2597", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5da6e225-f60e-5faa-9c7e-9550e0df63ac", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.303Z 804e3b095828 Skyformation - 2504656101616966541 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520303 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WebView2Loader.dll fsize=136576 msg=Resource [Resource: file :: WebView2Loader.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.303Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WebView2Loader.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.620Z ext_md5Checksum=82c2b3a8e75ab4fc6cc1360ea2c663e3 ext_sharedWith=[] ext_sha256Checksum=d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=136576 ext_insertionTimestamp=2021-09-16T22:51:22.314656Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_46\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.303Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314656Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"WebView2Loader.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":136576,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82c2b3a8e75ab4fc6cc1360ea2c663e3\",\"sha256Checksum\":\"d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a\",\"createTimestamp\":\"2021-09-08T09:32:16.618Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.620Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02622f5a-4fce-56fe-901b-863245b815d6", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.303Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WebView2Loader.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.620Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d67d5383d8fcd477ccd308207448369f8aebe79c0c4eae3f97574d30f469e27a", "2021-09-16T22:52:32.755Z", 136576, "code42-exfil-share-datatype", "82c2b3a8e75ab4fc6cc1360ea2c663e3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.303Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dfab61df-0096-5423-8a0c-b2c4dc5b8b98", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-37290152-c41e-56db-908e-bd32da2df133", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-536ae9c9-aa2b-556e-92fa-d090d49269b6", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.098Z 804e3b095828 Skyformation - 7444223728288167550 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508098 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointl30_winrt.dll fsize=86384 msg=Resource [Resource: file :: msointl30_winrt.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.098Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointl30_winrt.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.683Z ext_md5Checksum=18ad415ef30924748d83afeeee4d9cb0 ext_sharedWith=[] ext_sha256Checksum=e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=86384 ext_insertionTimestamp=2021-09-16T22:51:15.337616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_560\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.098Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointl30_winrt.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":86384,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18ad415ef30924748d83afeeee4d9cb0\",\"sha256Checksum\":\"e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.683Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e4dc97b-2030-545d-a650-c48fd51597ec", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.098Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointl30_winrt.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.683Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7bd1b920aaf77c046f1fab80e3cf9f16858c19baf732c4ae2bba5cdc16486fd", "2021-09-16T22:52:32.758Z", 86384, "code42-exfil-share-datatype", "18ad415ef30924748d83afeeee4d9cb0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.098Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44a1a814-a037-5649-ace1-3f3276228e78", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b44195a-efec-59e6-90b2-a72c680eb96b", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.325Z 804e3b095828 Skyformation - 5312164448627929884 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499325 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=3584 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.325Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.728Z ext_md5Checksum=c62d73c8ea0d55db08cceec7afc7e3cc ext_sharedWith=[] ext_sha256Checksum=2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3584 ext_insertionTimestamp=2021-09-16T22:51:15.335208Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.577Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_266\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.325Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335208Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3584,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c62d73c8ea0d55db08cceec7afc7e3cc\",\"sha256Checksum\":\"2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd\",\"createTimestamp\":\"2021-09-09T09:44:28.577Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.728Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cf841002-dfb0-5c90-9fb1-281afd8d004d", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.325Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.728Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2985a8f736f2df822432b459d1832fe1a7a407bc4e6066b03a4dc321bd60b3fd", "2021-09-16T22:52:32.756Z", 3584, "code42-exfil-share-datatype", "c62d73c8ea0d55db08cceec7afc7e3cc", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ky-KG/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.325Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.577Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d03cc6e3-0d73-5ec3-902a-28c04f19e570", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.175Z 804e3b095828 Skyformation - 937782685410137034 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511175 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=saext.dll fsize=559480 msg=Resource [Resource: file :: saext.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.175Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=saext.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.174Z ext_md5Checksum=4a0f85409681a359adbbda4104daa7fb ext_sharedWith=[] ext_sha256Checksum=046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=559480 ext_insertionTimestamp=2021-09-16T22:51:15.337820Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_782\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.175Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"saext.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":559480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a0f85409681a359adbbda4104daa7fb\",\"sha256Checksum\":\"046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.174Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2113c1b0-3556-58e7-a54a-1004516f2597", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.175Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "saext.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.174Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "046c39eb0d7a4d900e9c33ee0ac823661f1d01dad09a6268d77c5eaf7901fdb9", "2021-09-16T22:52:32.758Z", 559480, "code42-exfil-share-datatype", "4a0f85409681a359adbbda4104daa7fb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.175Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-534dea1b-0dc4-5ca4-8133-5b7d820baf25", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fdc9d09f-3af0-54ae-a39c-63221dc894ec", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d693bd9e-8d43-50df-a4ca-e6e50cf7b354", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3dc7244c-e1bd-5b60-bdb4-2cb874a6fd43", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0fff593c-89eb-5aa2-84bb-cb724b886696", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a19de0e9-b0a6-5af1-b5fd-d33b5ca62e22", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-48da0a98-8bf3-5368-898a-38df3042e727", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3b61846d-7e29-5db8-b9ac-8f09a942b29c", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e24a545-12b5-5f9d-b26a-bb7e332d690d", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7a401f3c-d0bf-5d2f-a8fd-832c43bf3a28", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5dfd09b1-1bb7-5ed5-8f2d-610478d2f8fa", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.350Z 804e3b095828 Skyformation - 8180994352798970218 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncConfig.exe fsize=635768 msg=Resource [Resource: file :: FileSyncConfig.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncConfig.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.389Z ext_md5Checksum=23843c09217f08eef3def81b6e92e645 ext_sharedWith=[] ext_sha256Checksum=282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=635768 ext_insertionTimestamp=2021-09-16T22:51:15.337907Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.374Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_987\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337907Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncConfig.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":635768,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"23843c09217f08eef3def81b6e92e645\",\"sha256Checksum\":\"282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99\",\"createTimestamp\":\"2021-09-08T09:32:12.374Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.389Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d415923a-bee3-570e-b61e-3d5b35de5969", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.350Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncConfig.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.389Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "282f55ad677e0cf304d8c71d6f1d363333a0ac59587121b0f5345dd4711f9f99", "2021-09-16T22:52:32.756Z", 635768, "code42-exfil-share-datatype", "23843c09217f08eef3def81b6e92e645", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.374Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.300Z 804e3b095828 Skyformation - 5713470709720643753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520300 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UpdateRingSettings.dll fsize=500600 msg=Resource [Resource: file :: UpdateRingSettings.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.300Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UpdateRingSettings.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.589Z ext_md5Checksum=8670927c143a1e54c0e7d9e7a56159b1 ext_sharedWith=[] ext_sha256Checksum=83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=500600 ext_insertionTimestamp=2021-09-16T22:51:22.314645Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_44\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.300Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314645Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"UpdateRingSettings.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":500600,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"8670927c143a1e54c0e7d9e7a56159b1\",\"sha256Checksum\":\"83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0\",\"createTimestamp\":\"2021-09-08T09:32:16.583Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.589Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16d48bab-8124-5e36-b3e0-42349bf00cc4", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.300Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UpdateRingSettings.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.589Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "83a5f3afaa2475732e39c3efc36d2b0a83dcc00d36195d77aff16ad67008a5d0", "2021-09-16T22:52:32.756Z", 500600, "code42-exfil-share-datatype", "8670927c143a1e54c0e7d9e7a56159b1", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.300Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fe18df90-42e5-5d27-991a-1674d0d8c19a", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.196Z 804e3b095828 Skyformation - 5829787252207277270 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499196 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.196Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.222Z ext_md5Checksum=0e8e10650f39cb0b09ba8c47f840530f ext_sharedWith=[] ext_sha256Checksum=f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.334964Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_241\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.196Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334964Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0e8e10650f39cb0b09ba8c47f840530f\",\"sha256Checksum\":\"f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.222Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-279e346e-a172-5393-bce2-3384bb0b5eff", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.196Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.222Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f2171bb0f09083c93f350983d812846ae25bd513083a320dce2823174c376cc9", "2021-09-16T22:52:32.755Z", 14224, "code42-exfil-share-datatype", "0e8e10650f39cb0b09ba8c47f840530f", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.196Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d50e681f-cbb7-5757-b591-ef459f2fee04", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e9e5d067-489a-514d-9f2a-08e47f979775", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.292Z 804e3b095828 Skyformation - 7352347330459896280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Telemetry.dll fsize=528248 msg=Resource [Resource: file :: Telemetry.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Telemetry.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:16.528Z ext_md5Checksum=eb3af15f534b067d98dac6a346728096 ext_sharedWith=[] ext_sha256Checksum=51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=528248 ext_insertionTimestamp=2021-09-16T22:51:22.314633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:16.519Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_41\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Telemetry.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":528248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"eb3af15f534b067d98dac6a346728096\",\"sha256Checksum\":\"51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae\",\"createTimestamp\":\"2021-09-08T09:32:16.519Z\",\"modifyTimestamp\":\"2021-09-08T09:32:16.528Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2ab229de-8984-5eac-9af7-ee322bfd976e", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.292Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Telemetry.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:16.528Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "51097229fcac7978df0085835ad4bf977a275bc148cf72af1a790b34160d6aae", "2021-09-16T22:52:32.758Z", 528248, "code42-exfil-share-datatype", "eb3af15f534b067d98dac6a346728096", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:16.519Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6b66f85d-68f8-5d9c-9c2a-b64a13f332bc", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d912d326-0b65-5278-97f3-daacc2394c00", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12314f44-1778-5595-ad19-9d3d7cfc50fe", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2c21877d-e685-5034-ab53-29f1b1a2b738", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "darnellw-official-win10.qa.code42.com", "observables": [{"value": "darnellw-official-win10.qa.code42.com", "type": "domain"}], "obs": "domain:darnellw-official-win10.qa.code42.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ae30f7b4-650d-56a3-990a-333256499e3b", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "domain", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f0bd0871", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "domain", "value": "darnellw-official-win10.qa.code42.com"}, "type": "warning", "action_id": "b2159bf9-6bf6-4a8d-8959-9e8f33d5a856", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for darnellw-official-win10.qa.code42.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "domain", "value": "darnellw-official-win10.qa.code42.com", "id": "f0bd0871"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-9dcbc1ae-0064-450d-8415-8c7297a32c72", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T09:49:47.000Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
diff --git a/Exabeam/Snapshot-with-email.json b/Exabeam/Snapshot-with-email.json
index 43ca690a..182669bf 100644
--- a/Exabeam/Snapshot-with-email.json
+++ b/Exabeam/Snapshot-with-email.json
@@ -1 +1 @@
-{"schema_version": "1.1.3", "type": "investigation", "search-txt": "email:\"kathy.kane@c42se.com\"", "actions": "[{\"arg\":\"kathy.kane@c42se.com\",\"created\":\"2021-09-17T08:46:04.089Z\",\"id\":\"collect-e0239c51\",\"result\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:46:04.306Z\",\"uuid\":\"e62a0e76-42ce-4977-80a5-d096a2a9bc10\"},{\"arg\":{\"type\":\"email\",\"value\":\"kathy.kane@c42se.com\"},\"created\":\"2021-09-17T08:46:04.326Z\",\"id\":\"investigate-8afc4a57\",\"result\":{\"data\":[{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T21:23:02.291Z 804e3b095828 Skyformation - 2954122368002305264 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 dproc=file events dtz=default-tenant end=1631827382291 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:23:02.291Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:23:00.987Z ext_md5Checksum=8a6258884d44fdd107707ad5c0cf2bea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659019 ext_insertionTimestamp=2021-09-16T21:23:35.061605Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:23:02.291Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:23:35.061605Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659019,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8a6258884d44fdd107707ad5c0cf2bea\\\",\\\"sha256Checksum\\\":\\\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:23:00.987Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61418_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5e37db0d-c059-56cc-8397-ed743e0042df\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:23:02.291Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:23:00.987Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\",\"2021-09-16T21:24:29.095Z\",6659019,\"code42-exfil-share-datatype\",\"8a6258884d44fdd107707ad5c0cf2bea\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:23:02.291Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 3347113359677108016 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XmlSerializer.dll fsize=8704 msg=Resource [Resource: file :: System.Xml.XmlSerializer.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlSerializer.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=0cc4665479b5e519b2597b93577de1aa ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8704 ext_insertionTimestamp=2021-09-16T19:18:39.567112Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.745Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567112Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XmlSerializer.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":8704,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"0cc4665479b5e519b2597b93577de1aa\\\",\\\"sha256Checksum\\\":\\\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a8e336e0-e775-5f81-a1d7-1d703bd8e157\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.745Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XmlSerializer.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\",\"2021-09-16T19:20:29.167Z\",8704,\"code42-exfil-share-datatype\",\"0cc4665479b5e519b2597b93577de1aa\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.745Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:39:00.979Z 804e3b095828 Skyformation - 2580885261986268761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 dproc=file events dtz=default-tenant end=1631831940979 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:39:00.979Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:39:00.479Z ext_md5Checksum=693b07e79c0ed75e36f7a60f836ef1a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661223 ext_insertionTimestamp=2021-09-16T22:39:31.810355Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:39:00.979Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:39:31.810355Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661223,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"693b07e79c0ed75e36f7a60f836ef1a9\\\",\\\"sha256Checksum\\\":\\\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:39:00.479Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61427_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bbe544a7-4712-503d-8e2b-e850af9a8a35\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:39:00.979Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:39:00.479Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\",\"2021-09-16T22:40:29.619Z\",6661223,\"code42-exfil-share-datatype\",\"693b07e79c0ed75e36f7a60f836ef1a9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:39:00.979Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:23:01.992Z 804e3b095828 Skyformation - 134014797071545939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 dproc=file events dtz=default-tenant end=1631823781992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:23:01.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:23:00.252Z ext_md5Checksum=e95fbbc4261d5827634041a0f12107a0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657279 ext_insertionTimestamp=2021-09-16T20:23:47.534223Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:23:01.992Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:23:47.534223Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657279,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e95fbbc4261d5827634041a0f12107a0\\\",\\\"sha256Checksum\\\":\\\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:23:00.252Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"172.20.64.15\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61341_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-36285ceb-2bb5-537c-aee4-140da8e61c9d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:23:01.992Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"172.20.64.15\",\"2021-09-16T20:23:00.252Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\",\"2021-09-16T20:24:29.211Z\",6657279,\"code42-exfil-share-datatype\",\"e95fbbc4261d5827634041a0f12107a0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:23:01.992Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 4664902644332636172 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar fsize=14514207 msg=Resource [Resource: file :: test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:29.203Z ext_md5Checksum=34dd2200b09a5c51bbd84acdeb98b606 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14514207 ext_insertionTimestamp=2021-09-16T19:18:39.567904Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:28.792Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567904Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14514207,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"34dd2200b09a5c51bbd84acdeb98b606\\\",\\\"sha256Checksum\\\":\\\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:28.792Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:29.203Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61263_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1a735af4-fe4a-5bf6-8aa8-32b39f6cb717\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:29.203Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\",\"2021-09-16T19:20:29.158Z\",14514207,\"code42-exfil-share-datatype\",\"34dd2200b09a5c51bbd84acdeb98b606\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:28.792Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.820Z 804e3b095828 Skyformation - 3517425595454456489 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723820 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was created by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.820Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567369Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.820Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567369Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"nethost.h\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"SourceCode\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"SourceCode\\\",\\\"fileSize\\\":2709,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"43b6f3115aa52ad9540bdbe756e1a9b3\\\",\\\"sha256Checksum\\\":\\\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/x-chdr\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9e830775-5347-525c-aedd-78a6ed9a978d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:23.820Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"SourceCode\",\"Endpoint\",\"nethost.h\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:38:56Z\",\"text/x-chdr\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"2021-09-16T19:20:29.167Z\",2709,\"code42-exfil-share-datatype\",\"43b6f3115aa52ad9540bdbe756e1a9b3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"SourceCode\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.820Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:38:56Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 465235528329935198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.563Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567718Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.281Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567718Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7657197,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"61898b6da7ebbf3a13be7c76ae49e5f5\\\",\\\"sha256Checksum\\\":\\\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:30.281Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:30.563Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4e7fd42a-7da6-52ff-a103-0ef33800ab52\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:30.563Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"2021-09-16T19:20:29.168Z\",7657197,\"code42-exfil-share-datatype\",\"61898b6da7ebbf3a13be7c76ae49e5f5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:30.281Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.008Z 804e3b095828 Skyformation - 2619095453314890827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712008 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-string-18.0.194-develop-194.jar fsize=14758 msg=Resource [Resource: file :: test42-fixture-string-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.008Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-string-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.375Z ext_md5Checksum=0c1b42a22fa41253e0a883a3c2147fa9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14758 ext_insertionTimestamp=2021-09-16T19:18:39.568043Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.371Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.008Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568043Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-string-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14758,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"0c1b42a22fa41253e0a883a3c2147fa9\\\",\\\"sha256Checksum\\\":\\\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:26.371Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:26.375Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d692ff50-8a73-5b7c-887a-7ac69931a5ce\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.008Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-string-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:26.375Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\",\"2021-09-16T19:20:29.168Z\",14758,\"code42-exfil-share-datatype\",\"0c1b42a22fa41253e0a883a3c2147fa9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.008Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:26.371Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.993Z 804e3b095828 Skyformation - 8176639218918911133 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711993 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console.runtimeconfig.json fsize=105 msg=Resource [Resource: file :: Test42Console.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.993Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.653Z ext_md5Checksum=ba8f99b0518b43d8e5cdf3ea1356c600 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105 ext_insertionTimestamp=2021-09-16T19:18:39.567470Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.651Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.993Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567470Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console.runtimeconfig.json\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Uncategorized\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":105,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"ba8f99b0518b43d8e5cdf3ea1356c600\\\",\\\"sha256Checksum\\\":\\\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.651Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.653Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/json\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c0e83a93-2af4-5d37-babd-10b1452f228d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.993Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Test42Console.runtimeconfig.json\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.653Z\",\"application/json\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\",\"2021-09-16T19:20:29.168Z\",105,\"code42-exfil-share-datatype\",\"ba8f99b0518b43d8e5cdf3ea1356c600\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Uncategorized\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.993Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.651Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:50:02.277Z 804e3b095828 Skyformation - 5602684442482280736 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 dproc=file events dtz=default-tenant end=1631829002277 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:50:02.277Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:50:00.880Z ext_md5Checksum=b817fe0a78cbc9235abc6adce11beb39 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659802 ext_insertionTimestamp=2021-09-16T21:51:03.096935Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:50:02.277Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:51:03.096935Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659802,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"b817fe0a78cbc9235abc6adce11beb39\\\",\\\"sha256Checksum\\\":\\\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:50:00.880Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61423_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8c564a5c-edc3-541c-989b-c9b6584537a0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:50:02.277Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:50:00.880Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\",\"2021-09-16T21:52:29.135Z\",6659802,\"code42-exfil-share-datatype\",\"b817fe0a78cbc9235abc6adce11beb39\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:50:02.277Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 1490067587399469079 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.147Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.567997Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.911Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567997Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-file-system-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7650176,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d2670e017c2aee21fbfa183360468e94\\\",\\\"sha256Checksum\\\":\\\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:30.911Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:31.147Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-600d5056-d56f-5d29-8735-28d002a0177c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:31.147Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"2021-09-16T19:20:29.157Z\",7650176,\"code42-exfil-share-datatype\",\"d2670e017c2aee21fbfa183360468e94\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:30.911Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.773Z 804e3b095828 Skyformation - 2796256343079738721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718773 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.773Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.342Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568031Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.148Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.773Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568031Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-rest-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6976661,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"f20102257ab369adb8dd6cb6c50014fe\\\",\\\"sha256Checksum\\\":\\\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.148Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.342Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61263_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-82473b8d-7e74-50ea-9744-5b08a75c0f86\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:18.773Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-rest-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.342Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"2021-09-16T19:20:29.159Z\",6976661,\"code42-exfil-share-datatype\",\"f20102257ab369adb8dd6cb6c50014fe\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.773Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.148Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:15.893Z 804e3b095828 Skyformation - 4881423058587582298 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715893 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.893Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.133Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567870Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:14.961Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:15.893Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567870Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-common-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6080452,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"08215631827e4179e243d27b5f502f90\\\",\\\"sha256Checksum\\\":\\\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:14.961Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:15.133Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fcfc53ce-2a59-58e6-8c35-da34b1db1be7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:15.893Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-common-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:15.133Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"2021-09-16T19:20:29.169Z\",6080452,\"code42-exfil-share-datatype\",\"08215631827e4179e243d27b5f502f90\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:15.893Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:14.961Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.769Z 804e3b095828 Skyformation - 6627546699421659495 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719769 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.769Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.052Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568143Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.979Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.769Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568143Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"test42-console-8.2.3.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2573374,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"aa7ef1099a4cd7eb288430e0f8621b0c\\\",\\\"sha256Checksum\\\":\\\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.979Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:19.052Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d3d31370-5f9b-5151-b1b4-1106238db7e9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:19.769Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-console-8.2.3.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:19.052Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"2021-09-16T19:20:29.167Z\",2573374,\"code42-exfil-share-datatype\",\"aa7ef1099a4cd7eb288430e0f8621b0c\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.769Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.979Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:39:00.951Z 804e3b095828 Skyformation - 3085221760796449695 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 dproc=file events dtz=default-tenant end=1631828340951 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:39:00.951Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:39:00.700Z ext_md5Checksum=5a797dc0a97885951ef7fd87b6f564fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659483 ext_insertionTimestamp=2021-09-16T21:39:50.425897Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:39:00.951Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:39:50.425897Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659483,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5a797dc0a97885951ef7fd87b6f564fe\\\",\\\"sha256Checksum\\\":\\\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:39:00.700Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-de89ae13-1740-5d1b-89bb-f85121f0cd75\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:39:00.951Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:39:00.700Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\",\"2021-09-16T21:40:29.785Z\",6659483,\"code42-exfil-share-datatype\",\"5a797dc0a97885951ef7fd87b6f564fe\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:39:00.951Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.775Z 804e3b095828 Skyformation - 235457846511697461 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718775 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.775Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.687Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567939Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.378Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.775Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567939Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11047889,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"c32214157ad2def6a511701ce4e0a562\\\",\\\"sha256Checksum\\\":\\\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.378Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.687Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0d18a5dd-0e2a-5b84-b619-3d537c56b3d0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:18.775Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.687Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"2021-09-16T19:20:29.172Z\",11047889,\"code42-exfil-share-datatype\",\"c32214157ad2def6a511701ce4e0a562\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.775Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.378Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:14.828Z 804e3b095828 Skyformation - 4988657070909514900 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819714828 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:14.828Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:13.679Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567549Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:13.658Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:14.828Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567549Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"dotnet-Test42Runner-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":468043,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2fa8d4d1035f2e127169e5e649d52ed1\\\",\\\"sha256Checksum\\\":\\\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:13.658Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:13.679Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-747337c7-1290-5526-abdf-d50e6103d1ac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:14.828Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"dotnet-Test42Runner-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:13.679Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"2021-09-16T19:20:29.172Z\",468043,\"code42-exfil-share-datatype\",\"2fa8d4d1035f2e127169e5e649d52ed1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:14.828Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:13.658Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:59:02.980Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:01:17.003636Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661803,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"7a691f6c406d52373ad2c62e2f480bb3\\\",\\\"sha256Checksum\\\":\\\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:59:00.670Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a65e4551-47d7-5f70-a259-006cd2ea2894\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:59:02.980Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:59:00.670Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"2021-09-16T23:02:30.314Z\",6661803,\"code42-exfil-share-datatype\",\"7a691f6c406d52373ad2c62e2f480bb3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:59:02.980Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:28:00.876Z 804e3b095828 Skyformation - 8042611856875895468 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 dproc=file events dtz=default-tenant end=1631831280876 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:28:00.876Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:28:00.304Z ext_md5Checksum=453ec6ef064fa5bc0c6f50ee2d5204e5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660904 ext_insertionTimestamp=2021-09-16T22:28:42.643367Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:28:00.876Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:28:42.643367Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660904,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"453ec6ef064fa5bc0c6f50ee2d5204e5\\\",\\\"sha256Checksum\\\":\\\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:28:00.304Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61426_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5a4f38a7-721b-5a46-af92-9b379e22e83f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:28:00.876Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:28:00.304Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\",\"2021-09-16T22:30:29.500Z\",6660904,\"code42-exfil-share-datatype\",\"453ec6ef064fa5bc0c6f50ee2d5204e5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:28:00.876Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 5692899194704443110 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Java.sh fsize=165 msg=Resource [Resource: file :: launchTest42Console-Java.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Java.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.020Z ext_md5Checksum=3b387d2bf8ce6d3b92a5f1db751813f9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=165 ext_insertionTimestamp=2021-09-16T19:18:39.568109Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.019Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.994Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568109Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"launchTest42Console-Java.sh\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Script\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Script\\\",\\\"fileSize\\\":165,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3b387d2bf8ce6d3b92a5f1db751813f9\\\",\\\"sha256Checksum\\\":\\\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:41.019Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:41.020Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-sh\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-45612c08-8262-5116-a9f8-17732756f8ff\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.994Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Script\",\"Endpoint\",\"launchTest42Console-Java.sh\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:41.020Z\",\"application/x-sh\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\",\"2021-09-16T19:20:29.168Z\",165,\"code42-exfil-share-datatype\",\"3b387d2bf8ce6d3b92a5f1db751813f9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Script\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.994Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:41.019Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-75e7c90f-681b-5167-ab1f-93253718bf60\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.158Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.085Z 804e3b095828 Skyformation - 8692612087128247895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724085 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.085Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567190Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.085Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567190Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"WindowsBase.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d8a0e4361c61034952e56a4eaac26925\\\",\\\"sha256Checksum\\\":\\\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-08f2fe68-910f-5dc7-94c4-c7d30afc8519\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:24.085Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsBase.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"2021-09-16T19:20:29.170Z\",6656,\"code42-exfil-share-datatype\",\"d8a0e4361c61034952e56a4eaac26925\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.085Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:44:00.556Z 804e3b095828 Skyformation - 8674733544075329242 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 dproc=file events dtz=default-tenant end=1631828640556 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:44:00.556Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:44:00.149Z ext_md5Checksum=32ef24cfa95d52085eea12935c55f475 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659628 ext_insertionTimestamp=2021-09-16T21:45:15.841469Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:44:00.556Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:45:15.841469Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659628,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"32ef24cfa95d52085eea12935c55f475\\\",\\\"sha256Checksum\\\":\\\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:44:00.149Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-23911c2c-7e26-51bc-9fea-5f05b4c871cf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:44:00.556Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:44:00.149Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\",\"2021-09-16T21:46:29.997Z\",6659628,\"code42-exfil-share-datatype\",\"32ef24cfa95d52085eea12935c55f475\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:44:00.556Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.772Z 804e3b095828 Skyformation - 8294759705628931815 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.095Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.568008Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.884Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.772Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568008Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-file-system-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7650176,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d2670e017c2aee21fbfa183360468e94\\\",\\\"sha256Checksum\\\":\\\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:17.884Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.095Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f63d3086-bd17-55ab-81cc-54fc91e7d10b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:18.772Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.095Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"2021-09-16T19:20:29.172Z\",7650176,\"code42-exfil-share-datatype\",\"d2670e017c2aee21fbfa183360468e94\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.772Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:17.884Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:01:01.023Z 804e3b095828 Skyformation - 2456916627922492488 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 dproc=file events dtz=default-tenant end=1631822461023 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:01:01.023Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:01:00.608Z ext_md5Checksum=2ee6250bd1e7bd8600f0961bd3324d4e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656641 ext_insertionTimestamp=2021-09-16T20:02:04.344088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:01:01.023Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:02:04.344088Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656641,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2ee6250bd1e7bd8600f0961bd3324d4e\\\",\\\"sha256Checksum\\\":\\\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:01:00.608Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61339_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fc4db0ba-18cc-5107-a914-084f635c52af\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:01:01.023Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:01:00.608Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\",\"2021-09-16T20:04:28.310Z\",6656641,\"code42-exfil-share-datatype\",\"2ee6250bd1e7bd8600f0961bd3324d4e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:01:01.023Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.821Z 804e3b095828 Skyformation - 1605658926549055429 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723821 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.821Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567392Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.821Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567392Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"netstandard.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":105472,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3d47f885a18937d6fd0fde935538560b\\\",\\\"sha256Checksum\\\":\\\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2481047e-5ae4-543b-9028-8e19e3e05566\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:23.821Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"netstandard.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"2021-09-16T19:20:29.170Z\",105472,\"code42-exfil-share-datatype\",\"3d47f885a18937d6fd0fde935538560b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.821Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:15.897Z 804e3b095828 Skyformation - 5723685368446080373 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715897 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar fsize=41227 msg=Resource [Resource: file :: test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.897Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.419Z ext_md5Checksum=e98fb5f87aed64e2d32116bc565d2dec ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=41227 ext_insertionTimestamp=2021-09-16T19:18:39.567796Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.414Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:15.897Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567796Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":41227,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e98fb5f87aed64e2d32116bc565d2dec\\\",\\\"sha256Checksum\\\":\\\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:15.414Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:15.419Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4386ebf1-b7bd-5cc7-9d76-25107a9a2069\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:15.897Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:15.419Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\",\"2021-09-16T19:20:29.157Z\",41227,\"code42-exfil-share-datatype\",\"e98fb5f87aed64e2d32116bc565d2dec\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:15.897Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:15.414Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.761Z 804e3b095828 Skyformation - 2980995002300610810 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719761 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.761Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.832Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567638Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.812Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.761Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567638Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":652056,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"23ba5e96a691edc4773fec0f88bf952f\\\",\\\"sha256Checksum\\\":\\\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.812Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.832Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c978eb4a-4e5b-5e42-870b-1d5172367949\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:19.761Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.832Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"2021-09-16T19:20:29.168Z\",652056,\"code42-exfil-share-datatype\",\"23ba5e96a691edc4773fec0f88bf952f\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.761Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.812Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:49:02.292Z 804e3b095828 Skyformation - 1350603041899679478 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 dproc=file events dtz=default-tenant end=1631832542292 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:49:02.292Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:49:00.527Z ext_md5Checksum=e36e7a007a335fab0b5c84fd64dfdccc ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661513 ext_insertionTimestamp=2021-09-16T22:50:23.782238Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:49:02.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:50:23.782238Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661513,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e36e7a007a335fab0b5c84fd64dfdccc\\\",\\\"sha256Checksum\\\":\\\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:49:00.527Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61444_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-af4fbb0a-af39-5538-9106-9b2db2646476\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:49:02.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:49:00.527Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\",\"2021-09-16T22:52:31.870Z\",6661513,\"code42-exfil-share-datatype\",\"e36e7a007a335fab0b5c84fd64dfdccc\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:49:02.292Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.801Z 804e3b095828 Skyformation - 621632533739725350 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723801 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.801Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567212Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.801Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567212Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libclrjit.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2741416,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"650f69041d44556a5f3bdbcace8b3dea\\\",\\\"sha256Checksum\\\":\\\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4ae4ea8f-75b0-5f70-bab5-178877150abf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:23.801Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libclrjit.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:29:02Z\",\"application/octet-stream\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"2021-09-16T19:20:29.158Z\",2741416,\"code42-exfil-share-datatype\",\"650f69041d44556a5f3bdbcace8b3dea\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.801Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:29:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:17:02.470Z 804e3b095828 Skyformation - 3355602177351257247 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 dproc=file events dtz=default-tenant end=1631823422470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:17:02.470Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:17:00.510Z ext_md5Checksum=79e223064e50c50dc63e89e30862e8f4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657105 ext_insertionTimestamp=2021-09-16T20:18:24.025397Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:17:02.470Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:18:24.025397Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657105,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"79e223064e50c50dc63e89e30862e8f4\\\",\\\"sha256Checksum\\\":\\\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:17:00.510Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61341_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6d5a20a2-f50e-5f19-a010-b1be1e470e1d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:17:02.470Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:17:00.510Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\",\"2021-09-16T20:20:29.219Z\",6657105,\"code42-exfil-share-datatype\",\"79e223064e50c50dc63e89e30862e8f4\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:17:02.470Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:15.898Z 804e3b095828 Skyformation - 4866351305492022215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715898 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.898Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:16.117Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567962Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.422Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:15.898Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567962Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-desktop-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26151827,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"4686b7fd21e7fb7459728108e94bdda5\\\",\\\"sha256Checksum\\\":\\\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:15.422Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:16.117Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f72d64ad-9c47-5fe9-abad-e1411db140d1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:15.898Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:16.117Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"2021-09-16T19:20:29.168Z\",26151827,\"code42-exfil-share-datatype\",\"4686b7fd21e7fb7459728108e94bdda5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:15.898Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:15.422Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:39:02.995Z 804e3b095828 Skyformation - 2457476870350379974 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 dproc=file events dtz=default-tenant end=1631824742995 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:39:02.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:39:00.749Z ext_md5Checksum=c777bda26af371c784639bf97c796a30 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657743 ext_insertionTimestamp=2021-09-16T20:40:03.955501Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:39:02.995Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:40:03.955501Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657743,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"c777bda26af371c784639bf97c796a30\\\",\\\"sha256Checksum\\\":\\\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:39:00.749Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61342_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8fd13adc-a57f-52b3-afec-f4d6286a241e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:39:02.995Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:39:00.749Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\",\"2021-09-16T20:40:29.204Z\",6657743,\"code42-exfil-share-datatype\",\"c777bda26af371c784639bf97c796a30\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:39:02.995Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 3519140269928418882 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.847Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567807Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.631Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567807Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7005905,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5f7aa4fdb5ef4c7a5a5124f614865982\\\",\\\"sha256Checksum\\\":\\\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:30.631Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:30.847Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c15684c1-40f1-5e8d-a549-ec971abac766\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:30.847Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"2021-09-16T19:20:29.168Z\",7005905,\"code42-exfil-share-datatype\",\"5f7aa4fdb5ef4c7a5a5124f614865982\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:30.631Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:12:03.215Z 804e3b095828 Skyformation - 6886991114765220858 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 dproc=file events dtz=default-tenant end=1631823123215 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:12:03.215Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:12:00.952Z ext_md5Checksum=326e1e96ac5b97f92334ae3ed0af00a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656960 ext_insertionTimestamp=2021-09-16T20:12:57.237021Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:12:03.215Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:12:57.237021Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656960,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"326e1e96ac5b97f92334ae3ed0af00a9\\\",\\\"sha256Checksum\\\":\\\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:12:00.952Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61340_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4187d125-6fed-5e14-872a-e781ac9c07c7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:12:03.215Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:12:00.952Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\",\"2021-09-16T20:14:29.101Z\",6656960,\"code42-exfil-share-datatype\",\"326e1e96ac5b97f92334ae3ed0af00a9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:12:03.215Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 8983082904017481833 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:28.729Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567951Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.871Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567951Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-desktop-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26151827,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"4686b7fd21e7fb7459728108e94bdda5\\\",\\\"sha256Checksum\\\":\\\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:27.871Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:28.729Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61269_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ea36b47c-6754-5ecf-931a-a6132c50aa22\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:28.729Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"2021-09-16T19:20:29.170Z\",26151827,\"code42-exfil-share-datatype\",\"4686b7fd21e7fb7459728108e94bdda5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:27.871Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:55:02.138Z 804e3b095828 Skyformation - 729364201181628912 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 dproc=file events dtz=default-tenant end=1631825702138 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:55:02.138Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:55:00.753Z ext_md5Checksum=63d8ad93f3a8ccf161c446bd00ebe0ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658207 ext_insertionTimestamp=2021-09-16T20:56:21.765014Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:55:02.138Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:56:21.765014Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658207,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"63d8ad93f3a8ccf161c446bd00ebe0ee\\\",\\\"sha256Checksum\\\":\\\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:55:00.753Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61345_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-288534d9-fd19-501f-a62b-9ccd21200713\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:55:02.138Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:55:00.753Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\",\"2021-09-16T20:58:28.798Z\",6658207,\"code42-exfil-share-datatype\",\"63d8ad93f3a8ccf161c446bd00ebe0ee\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:55:02.138Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 8309860196715459145 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.239Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567649Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.212Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567649Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.MachineManager-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":626077,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8824ed0806692fe40c6cc57f282862d1\\\",\\\"sha256Checksum\\\":\\\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.212Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.239Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0e24644f-f291-5bd2-bc35-86a9b5d0b7a3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.239Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"2021-09-16T19:20:29.169Z\",626077,\"code42-exfil-share-datatype\",\"8824ed0806692fe40c6cc57f282862d1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.212Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:28:03.165Z 804e3b095828 Skyformation - 4940785117334694295 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 dproc=file events dtz=default-tenant end=1631824083165 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:28:03.165Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:28:00.813Z ext_md5Checksum=d4b2584cc8639725ef1a77f10489af6e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657424 ext_insertionTimestamp=2021-09-16T20:29:14.653406Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:28:03.165Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:29:14.653406Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657424,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d4b2584cc8639725ef1a77f10489af6e\\\",\\\"sha256Checksum\\\":\\\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:28:00.813Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61341_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-91bf6af3-6d39-5a96-81d4-c4908b781523\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:28:03.165Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:28:00.813Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\",\"2021-09-16T20:30:28.534Z\",6657424,\"code42-exfil-share-datatype\",\"d4b2584cc8639725ef1a77f10489af6e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:28:03.165Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 8233299408064618554 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567268Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.746Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567268Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libhostpolicy.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":315420,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"006913ffaf68f205cc00bd03cc0d3761\\\",\\\"sha256Checksum\\\":\\\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61262_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b22fa99e-4961-5cd7-94d9-94743bc7cc5a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.746Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libhostpolicy.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:42:18Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"2021-09-16T19:20:29.158Z\",315420,\"code42-exfil-share-datatype\",\"006913ffaf68f205cc00bd03cc0d3761\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.746Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:42:18Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:11:00.794Z 804e3b095828 Skyformation - 2404635122291901530 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 dproc=file events dtz=default-tenant end=1631830260794 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:11:00.794Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:11:00.379Z ext_md5Checksum=951245aef74b1e8b33f4500e499e686a ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660411 ext_insertionTimestamp=2021-09-16T22:12:24.819165Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:11:00.794Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:12:24.819165Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660411,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"951245aef74b1e8b33f4500e499e686a\\\",\\\"sha256Checksum\\\":\\\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:11:00.379Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61423_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cfed350e-a44b-53ce-b882-dc197c8f62b6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:11:00.794Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:11:00.379Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\",\"2021-09-16T22:12:29.328Z\",6660411,\"code42-exfil-share-datatype\",\"951245aef74b1e8b33f4500e499e686a\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:11:00.794Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.074Z 804e3b095828 Skyformation - 8477448688941154930 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724074 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.074Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566968Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.074Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566968Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Linq.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2b104a782e44ca704503ca9b3c635c9e\\\",\\\"sha256Checksum\\\":\\\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_14_61269_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e28b082b-fc8d-5d89-9b34-4381e18289c2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:24.074Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Linq.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"2021-09-16T19:20:29.167Z\",6144,\"code42-exfil-share-datatype\",\"2b104a782e44ca704503ca9b3c635c9e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.074Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:56:02.173Z 804e3b095828 Skyformation - 7188922889508140062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 dproc=file events dtz=default-tenant end=1631822162173 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:56:02.173Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:56:00.923Z ext_md5Checksum=fc552e5a9046ea13a5d6106e2b2f9b76 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656496 ext_insertionTimestamp=2021-09-16T19:56:39.322640Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:56:02.173Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:56:39.322640Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656496,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fc552e5a9046ea13a5d6106e2b2f9b76\\\",\\\"sha256Checksum\\\":\\\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:56:00.923Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61339_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5b13a540-ce0b-5885-ac3e-33c0b65dba06\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:56:02.173Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:56:00.923Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\",\"2021-09-16T19:58:28.306Z\",6656496,\"code42-exfil-share-datatype\",\"fc552e5a9046ea13a5d6106e2b2f9b76\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:56:02.173Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.079Z 804e3b095828 Skyformation - 5370534398414402294 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724079 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XmlDocument.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.XmlDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.079Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=447d8892131a4e11ea225e3b1ffe34b1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.079Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567101Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XmlDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"447d8892131a4e11ea225e3b1ffe34b1\\\",\\\"sha256Checksum\\\":\\\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f80475c4-c69b-58e5-a9ed-33af9056766f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:24.079Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XmlDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\",\"2021-09-16T19:20:29.171Z\",6656,\"code42-exfil-share-datatype\",\"447d8892131a4e11ea225e3b1ffe34b1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.079Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.770Z 804e3b095828 Skyformation - 6071486703917102800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718770 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.770Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.840Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567818Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.648Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.770Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567818Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7005905,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5f7aa4fdb5ef4c7a5a5124f614865982\\\",\\\"sha256Checksum\\\":\\\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:17.648Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:17.840Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-08118857-1290-5488-af20-857c21d6bdd1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:18.770Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:17.840Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"2021-09-16T19:20:29.169Z\",7005905,\"code42-exfil-share-datatype\",\"5f7aa4fdb5ef4c7a5a5124f614865982\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.770Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:17.648Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:44:01.388Z 804e3b095828 Skyformation - 1266689014865399645 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 dproc=file events dtz=default-tenant end=1631832241388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:44:01.388Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:44:00.938Z ext_md5Checksum=b40c0a5ea13afe384316a54705f0d1b4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661368 ext_insertionTimestamp=2021-09-16T22:44:58.435091Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:44:01.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:44:58.435091Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661368,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"b40c0a5ea13afe384316a54705f0d1b4\\\",\\\"sha256Checksum\\\":\\\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:44:00.938Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61427_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d639f22b-9cff-59ed-9021-3ad255581d0e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:44:01.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:44:00.938Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\",\"2021-09-16T22:46:30.421Z\",6661368,\"code42-exfil-share-datatype\",\"b40c0a5ea13afe384316a54705f0d1b4\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:44:01.388Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.755Z 804e3b095828 Skyformation - 1836552121230087232 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719755 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.755Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.755Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567661Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.736Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.755Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567661Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.MachineManager-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":626077,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8824ed0806692fe40c6cc57f282862d1\\\",\\\"sha256Checksum\\\":\\\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.736Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.755Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-28195e6b-c15a-559b-a699-d2f6641591b7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:19.755Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.755Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"2021-09-16T19:20:29.157Z\",626077,\"code42-exfil-share-datatype\",\"8824ed0806692fe40c6cc57f282862d1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.755Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.736Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 146293528143524055 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566867Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.743Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566867Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.ValueTuple.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":5632,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"749df27ac6199cfa7c4b38c78528d3c7\\\",\\\"sha256Checksum\\\":\\\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1abdcd59-cf9e-5f35-bf4b-d2994605bd55\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.743Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ValueTuple.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"2021-09-16T19:20:29.169Z\",5632,\"code42-exfil-share-datatype\",\"749df27ac6199cfa7c4b38c78528d3c7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.743Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:33:01.545Z 804e3b095828 Skyformation - 7073850292788359537 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 dproc=file events dtz=default-tenant end=1631827981545 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:33:01.545Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:33:00.213Z ext_md5Checksum=20d1f8a835b0834eb7b5d80569deed62 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659309 ext_insertionTimestamp=2021-09-16T21:34:24.032240Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:33:01.545Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:34:24.032240Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659309,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"20d1f8a835b0834eb7b5d80569deed62\\\",\\\"sha256Checksum\\\":\\\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:33:00.213Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5369c67b-c8ed-5b7f-81d6-ec60324367ab\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:33:01.545Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:33:00.213Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\",\"2021-09-16T21:34:28.994Z\",6659309,\"code42-exfil-share-datatype\",\"20d1f8a835b0834eb7b5d80569deed62\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:33:01.545Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 4590047523480219385 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.338Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567627Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.318Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567627Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":652056,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"23ba5e96a691edc4773fec0f88bf952f\\\",\\\"sha256Checksum\\\":\\\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.318Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.338Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5e9f4477-1d64-576f-b3a8-241c6015add6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.338Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"2021-09-16T19:20:29.166Z\",652056,\"code42-exfil-share-datatype\",\"23ba5e96a691edc4773fec0f88bf952f\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.318Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4770681899815013348 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566957Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566957Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Linq.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2b104a782e44ca704503ca9b3c635c9e\\\",\\\"sha256Checksum\\\":\\\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e5d743d0-0232-5b8e-b0cb-1edd0490dd9f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Linq.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"2021-09-16T19:20:29.170Z\",6144,\"code42-exfil-share-datatype\",\"2b104a782e44ca704503ca9b3c635c9e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.818Z 804e3b095828 Skyformation - 1887769325684873078 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723818 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=mscorlib.dll fsize=57216 msg=Resource [Resource: file :: mscorlib.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.818Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=mscorlib.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T18:07:34Z ext_md5Checksum=9720675697af7ba93cd049a9b7f757ef ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=57216 ext_insertionTimestamp=2021-09-16T19:18:39.567347Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T18:07:34Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.818Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567347Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"mscorlib.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":57216,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"9720675697af7ba93cd049a9b7f757ef\\\",\\\"sha256Checksum\\\":\\\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\\\",\\\"createTimestamp\\\":\\\"2020-01-17T18:07:34Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T18:07:34Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ccf85660-82e2-5086-a281-3206e1b2858e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:23.818Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"mscorlib.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T18:07:34Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\",\"2021-09-16T19:20:29.167Z\",57216,\"code42-exfil-share-datatype\",\"9720675697af7ba93cd049a9b7f757ef\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.818Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T18:07:34Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 9109378012419032857 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.dll fsize=54784 msg=Resource [Resource: file :: Test42Console-8.2.3.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.508Z ext_md5Checksum=d69ac3af560428f6948dc20b997161ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=54784 ext_insertionTimestamp=2021-09-16T19:18:39.567403Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.502Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.997Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567403Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":54784,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d69ac3af560428f6948dc20b997161ee\\\",\\\"sha256Checksum\\\":\\\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.502Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.508Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-71cfb374-ab6b-5662-ab30-1b3fb949df3c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.997Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Test42Console-8.2.3.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.508Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\",\"2021-09-16T19:20:29.167Z\",54784,\"code42-exfil-share-datatype\",\"d69ac3af560428f6948dc20b997161ee\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.997Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.502Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:34:01.973Z 804e3b095828 Skyformation - 2524988023863085362 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 dproc=file events dtz=default-tenant end=1631824441973 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:34:01.973Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:34:00.215Z ext_md5Checksum=ff960d04995e3896e1e5f9b9280fa4ab ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657598 ext_insertionTimestamp=2021-09-16T20:34:41.194795Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:34:01.973Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:34:41.194795Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657598,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"ff960d04995e3896e1e5f9b9280fa4ab\\\",\\\"sha256Checksum\\\":\\\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:34:00.215Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61340_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cab0f6ad-bf33-5b50-a385-5e8c1204635d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:34:01.973Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:34:00.215Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\",\"2021-09-16T20:36:28.548Z\",6657598,\"code42-exfil-share-datatype\",\"ff960d04995e3896e1e5f9b9280fa4ab\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:34:01.973Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 2213325285618451753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.446Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568020Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568020Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-rest-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6976661,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"f20102257ab369adb8dd6cb6c50014fe\\\",\\\"sha256Checksum\\\":\\\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:31.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:31.446Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_14_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cd8f9d6d-f964-5596-b969-1adc4cbab814\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-rest-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:31.446Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"2021-09-16T19:20:29.167Z\",6976661,\"code42-exfil-share-datatype\",\"f20102257ab369adb8dd6cb6c50014fe\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:31.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 3843752372852811386 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.005Z ext_md5Checksum=2d2bf0d9382070b7cca29a72b3936e5d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.005Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.994Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568088Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"launchTest42Console-Dotnet.sh\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Script\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Script\\\",\\\"fileSize\\\":202,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2d2bf0d9382070b7cca29a72b3936e5d\\\",\\\"sha256Checksum\\\":\\\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:41.005Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:41.005Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-sh\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bf1190c9-a884-5c2a-bb2c-2795c5d957d1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.994Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Script\",\"Endpoint\",\"launchTest42Console-Dotnet.sh\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:41.005Z\",\"application/x-sh\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\",\"2021-09-16T19:20:29.167Z\",202,\"code42-exfil-share-datatype\",\"2d2bf0d9382070b7cca29a72b3936e5d\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Script\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.994Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:41.005Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.996Z 804e3b095828 Skyformation - 3176029036093175203 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711996 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-runtime-3.1.2-osx-x64.tar.gz fsize=29915862 msg=Resource [Resource: file :: dotnet-runtime-3.1.2-osx-x64.tar.gz] was deleted by [kathy.kane@c42se.com] proto=gz requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.996Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-runtime-3.1.2-osx-x64.tar.gz ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/gzip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:36.132Z ext_md5Checksum=f83a55de32ce1a89fb5b123257830cba ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=29915862 ext_insertionTimestamp=2021-09-16T19:18:39.567560Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:35.234Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/gzip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.996Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567560Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"dotnet-runtime-3.1.2-osx-x64.tar.gz\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":29915862,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"f83a55de32ce1a89fb5b123257830cba\\\",\\\"sha256Checksum\\\":\\\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:35.234Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:36.132Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/gzip\\\",\\\"mimeTypeByExtension\\\":\\\"application/gzip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61269_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2b217573-785b-532d-860e-9598234213e8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.996Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"dotnet-runtime-3.1.2-osx-x64.tar.gz\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:36.132Z\",\"application/gzip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\",\"2021-09-16T19:20:29.167Z\",29915862,\"code42-exfil-share-datatype\",\"f83a55de32ce1a89fb5b123257830cba\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.996Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:35.234Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.747Z 804e3b095828 Skyformation - 6719904774936520368 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711747 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.747Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567380Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.747Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567380Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"netstandard.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":105472,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3d47f885a18937d6fd0fde935538560b\\\",\\\"sha256Checksum\\\":\\\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7c9d9285-5d31-550b-a4b2-9fd3d3b8a388\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.747Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"netstandard.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"2021-09-16T19:20:29.171Z\",105472,\"code42-exfil-share-datatype\",\"3d47f885a18937d6fd0fde935538560b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.747Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 58574569231396443 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.487Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567858Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.287Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567858Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-common-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6080452,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"08215631827e4179e243d27b5f502f90\\\",\\\"sha256Checksum\\\":\\\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:27.287Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:27.487Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2080f524-24c7-5036-968e-df2b85f1b54f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-common-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:27.487Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"2021-09-16T19:20:29.170Z\",6080452,\"code42-exfil-share-datatype\",\"08215631827e4179e243d27b5f502f90\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:27.287Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 2397866919275056029 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Web.HttpUtility.dll fsize=36864 msg=Resource [Resource: file :: System.Web.HttpUtility.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Web.HttpUtility.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=306b1de856625f7499d783f7b4b79f38 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36864 ext_insertionTimestamp=2021-09-16T19:18:39.566889Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.743Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566889Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Web.HttpUtility.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":36864,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"306b1de856625f7499d783f7b4b79f38\\\",\\\"sha256Checksum\\\":\\\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-811d4e91-e46b-5844-9af9-7c850abf3da3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.743Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Web.HttpUtility.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\",\"2021-09-16T19:20:29.168Z\",36864,\"code42-exfil-share-datatype\",\"306b1de856625f7499d783f7b4b79f38\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.743Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:34:01.736Z 804e3b095828 Skyformation - 2573052291884632109 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 dproc=file events dtz=default-tenant end=1631820841736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:34:01.736Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:34:00.437Z ext_md5Checksum=5082d25b519827369f4026d1de2ee6ca ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655858 ext_insertionTimestamp=2021-09-16T19:34:57.134540Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:34:01.736Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:34:57.134540Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6655858,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5082d25b519827369f4026d1de2ee6ca\\\",\\\"sha256Checksum\\\":\\\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:34:00.437Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61335_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4d0c40d9-1a17-5018-b60d-c3342b98c94c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:34:01.736Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:34:00.437Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\",\"2021-09-16T19:36:28.977Z\",6655858,\"code42-exfil-share-datatype\",\"5082d25b519827369f4026d1de2ee6ca\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:34:01.736Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:06:01.487Z 804e3b095828 Skyformation - 6710622959611147958 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 dproc=file events dtz=default-tenant end=1631826361487 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:06:01.487Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:06:00.163Z ext_md5Checksum=60bf5e7434748875904b3d240e9933b7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658526 ext_insertionTimestamp=2021-09-16T21:07:13.335410Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:06:01.487Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:07:13.335410Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658526,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"60bf5e7434748875904b3d240e9933b7\\\",\\\"sha256Checksum\\\":\\\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:06:00.163Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61346_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-367d899b-650f-51b4-a6a1-0534a3961b75\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:06:01.487Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:06:00.163Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\",\"2021-09-16T21:08:28.978Z\",6658526,\"code42-exfil-share-datatype\",\"60bf5e7434748875904b3d240e9933b7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:06:01.487Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 7619218699635329950 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567201Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.745Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567201Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libclrjit.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2741416,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"650f69041d44556a5f3bdbcace8b3dea\\\",\\\"sha256Checksum\\\":\\\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-66849bfc-3193-508e-8ee8-6bb759846345\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.745Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libclrjit.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:29:02Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"2021-09-16T19:20:29.167Z\",2741416,\"code42-exfil-share-datatype\",\"650f69041d44556a5f3bdbcace8b3dea\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.745Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:29:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:17:01.240Z 804e3b095828 Skyformation - 6379287197034431494 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 dproc=file events dtz=default-tenant end=1631827021240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:17:01.240Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:17:00.229Z ext_md5Checksum=37d786d2ffe3997a1a4913f817e1163c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658845 ext_insertionTimestamp=2021-09-16T21:18:05.961899Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:17:01.240Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:18:05.961899Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658845,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"37d786d2ffe3997a1a4913f817e1163c\\\",\\\"sha256Checksum\\\":\\\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:17:00.229Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61401_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4e4fc7d1-49ea-5c9b-bca5-6f1b79386f29\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:17:01.240Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:17:00.229Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\",\"2021-09-16T21:18:29.165Z\",6658845,\"code42-exfil-share-datatype\",\"37d786d2ffe3997a1a4913f817e1163c\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:17:01.240Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:55:01.913Z 804e3b095828 Skyformation - 1768128187348227515 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 dproc=file events dtz=default-tenant end=1631829301913 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:55:01.913Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:55:00.543Z ext_md5Checksum=dc00517c1ea40d76a86ac0775630315b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659947 ext_insertionTimestamp=2021-09-16T21:56:06.248063Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:55:01.913Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:56:06.248063Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659947,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"dc00517c1ea40d76a86ac0775630315b\\\",\\\"sha256Checksum\\\":\\\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:55:00.543Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61422_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-15c0c9b0-6bdf-53a1-add0-1f2928d4286d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:55:01.913Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:55:00.543Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\",\"2021-09-16T21:58:29.321Z\",6659947,\"code42-exfil-share-datatype\",\"dc00517c1ea40d76a86ac0775630315b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:55:01.913Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:39:03.445Z 804e3b095828 Skyformation - 2624752478966021475 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 dproc=file events dtz=default-tenant end=1631821143445 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:39:03.445Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:39:01.028Z ext_md5Checksum=2f0e54e1e35e34e9a4b6c5b586789edf ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656003 ext_insertionTimestamp=2021-09-16T19:40:23.773101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:39:03.445Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:40:23.773101Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656003,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2f0e54e1e35e34e9a4b6c5b586789edf\\\",\\\"sha256Checksum\\\":\\\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:39:01.028Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61338_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d473561a-d486-58d7-9d54-79dca5b2d69e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:39:03.445Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:39:01.028Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\",\"2021-09-16T19:40:28.880Z\",6656003,\"code42-exfil-share-datatype\",\"2f0e54e1e35e34e9a4b6c5b586789edf\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:39:03.445Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:01:01.612Z 804e3b095828 Skyformation - 5476861324589104236 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 dproc=file events dtz=default-tenant end=1631829661612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:01:01.612Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:01:00.223Z ext_md5Checksum=aa34550e46232e041e8738f575568b63 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660121 ext_insertionTimestamp=2021-09-16T22:01:32.790174Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:01:01.612Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:01:32.790174Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660121,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"aa34550e46232e041e8738f575568b63\\\",\\\"sha256Checksum\\\":\\\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:01:00.223Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61423_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7f05d117-a06c-5922-8649-7708e4d80765\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:01:01.612Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:01:00.223Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\",\"2021-09-16T22:04:30.120Z\",6660121,\"code42-exfil-share-datatype\",\"aa34550e46232e041e8738f575568b63\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:01:01.612Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:06:01.028Z 804e3b095828 Skyformation - 8997259429135136842 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 dproc=file events dtz=default-tenant end=1631829961028 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:06:01.028Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:06:00.773Z ext_md5Checksum=e3826febfa687b19d431037a05e3d695 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660266 ext_insertionTimestamp=2021-09-16T22:06:57.577426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:06:01.028Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:06:57.577426Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660266,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e3826febfa687b19d431037a05e3d695\\\",\\\"sha256Checksum\\\":\\\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:06:00.773Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61424_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0c80d806-8279-587b-8b43-c95ce2fcdd89\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:06:01.028Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:06:00.773Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\",\"2021-09-16T22:08:29.515Z\",6660266,\"code42-exfil-share-datatype\",\"e3826febfa687b19d431037a05e3d695\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:06:01.028Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:02.481Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:55:54.847061Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661687,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3df126f4a090da12f2c29b6e5c1c29da\\\",\\\"sha256Checksum\\\":\\\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:00.206Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1d9f33fa-cc28-5fe5-9975-5003f91369d6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:02.481Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:55:00.206Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"2021-09-16T22:58:29.755Z\",6661687,\"code42-exfil-share-datatype\",\"3df126f4a090da12f2c29b6e5c1c29da\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:55:02.481Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.033Z 804e3b095828 Skyformation - 5428778102527363807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712033 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.033Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.287Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567537Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.033Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567537Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"dotnet-Test42Runner-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":468043,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2fa8d4d1035f2e127169e5e649d52ed1\\\",\\\"sha256Checksum\\\":\\\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:26.269Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:26.287Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-04487d78-acfd-5735-a210-f113f8855f9c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.033Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"dotnet-Test42Runner-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:26.287Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"2021-09-16T19:20:29.169Z\",468043,\"code42-exfil-share-datatype\",\"2fa8d4d1035f2e127169e5e649d52ed1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.033Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:26.269Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:28:01.712Z 804e3b095828 Skyformation - 891655873053505721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 dproc=file events dtz=default-tenant end=1631827681712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:28:01.712Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:28:00.665Z ext_md5Checksum=043ea115b4517db2f0aa7c5853f7385b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659164 ext_insertionTimestamp=2021-09-16T21:28:58.572803Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:28:01.712Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:28:58.572803Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659164,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"043ea115b4517db2f0aa7c5853f7385b\\\",\\\"sha256Checksum\\\":\\\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:28:00.665Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d5a79131-010e-5b41-9357-c3586091d05e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:28:01.712Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:28:00.665Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\",\"2021-09-16T21:30:29.019Z\",6659164,\"code42-exfil-share-datatype\",\"043ea115b4517db2f0aa7c5853f7385b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:28:01.712Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.078Z 804e3b095828 Skyformation - 7299018334312800224 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724078 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.078Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567035Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.078Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567035Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fef6c873d31e77de3f5c254593f606d0\\\",\\\"sha256Checksum\\\":\\\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f91637db-83e4-5758-b551-7c227aba1a5d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:24.078Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"2021-09-16T19:20:29.168Z\",6144,\"code42-exfil-share-datatype\",\"fef6c873d31e77de3f5c254593f606d0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.078Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 2798890335140955527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567023Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567023Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fef6c873d31e77de3f5c254593f606d0\\\",\\\"sha256Checksum\\\":\\\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ede94b18-04d2-554a-90e6-ab609600fa70\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"2021-09-16T19:20:29.167Z\",6144,\"code42-exfil-share-datatype\",\"fef6c873d31e77de3f5c254593f606d0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 6610991199308768678 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567179Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.745Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567179Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"WindowsBase.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d8a0e4361c61034952e56a4eaac26925\\\",\\\"sha256Checksum\\\":\\\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-85a1f9cb-fdf2-5bd3-8178-3d11c1f5cec4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.745Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsBase.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"2021-09-16T19:20:29.168Z\",6656,\"code42-exfil-share-datatype\",\"d8a0e4361c61034952e56a4eaac26925\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.745Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:01:00.819Z 804e3b095828 Skyformation - 4261722877678484633 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 dproc=file events dtz=default-tenant end=1631826060819 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:01:00.819Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:01:00.560Z ext_md5Checksum=da192fa26ed85e10ce7bb718251110ad ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658381 ext_insertionTimestamp=2021-09-16T21:01:47.308430Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:01:00.819Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:01:47.308430Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658381,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"da192fa26ed85e10ce7bb718251110ad\\\",\\\"sha256Checksum\\\":\\\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:01:00.560Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"172.20.64.15\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61345_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7711c718-0e21-5675-bb34-071d60939878\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:01:00.819Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"172.20.64.15\",\"2021-09-16T21:01:00.560Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\",\"2021-09-16T21:02:28.778Z\",6658381,\"code42-exfil-share-datatype\",\"da192fa26ed85e10ce7bb718251110ad\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:01:00.819Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:27.623Z 804e3b095828 Skyformation - 3964934661273873169 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819727623 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was created by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:27.623Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:27.409Z ext_md5Checksum=232b292616f09cef3e0e8ba9805a2963 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568099Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:27.408Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:27.623Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568099Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"launchTest42Console-Dotnet.sh\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Script\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Script\\\",\\\"fileSize\\\":202,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"232b292616f09cef3e0e8ba9805a2963\\\",\\\"sha256Checksum\\\":\\\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:27.408Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:27.409Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-sh\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0e09b581-9e7d-5195-8a38-88102b9c437d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:27.623Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Script\",\"Endpoint\",\"launchTest42Console-Dotnet.sh\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:27.409Z\",\"application/x-sh\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\",\"2021-09-16T19:20:29.167Z\",202,\"code42-exfil-share-datatype\",\"232b292616f09cef3e0e8ba9805a2963\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Script\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:27.623Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:27.408Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:23:01.314Z 804e3b095828 Skyformation - 930370924908933384 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 dproc=file events dtz=default-tenant end=1631820181314 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:23:01.314Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:23:00.067Z ext_md5Checksum=8ce945a5034d673a8c3df84df944e9e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655539 ext_insertionTimestamp=2021-09-16T19:24:05.872543Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:23:01.314Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:24:05.872543Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6655539,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8ce945a5034d673a8c3df84df944e9e2\\\",\\\"sha256Checksum\\\":\\\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:23:00.067Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61298_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-edf54539-1473-5d66-97c1-f95cf9899b35\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:23:01.314Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:23:00.067Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\",\"2021-09-16T19:24:29.929Z\",6655539,\"code42-exfil-share-datatype\",\"8ce945a5034d673a8c3df84df944e9e2\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:23:01.314Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:50:02.065Z 804e3b095828 Skyformation - 8498846088421542075 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 dproc=file events dtz=default-tenant end=1631821802065 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:50:02.065Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:50:00.154Z ext_md5Checksum=419c9c07c999bc2c71e9c8e0d74b3977 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656322 ext_insertionTimestamp=2021-09-16T19:51:24.240399Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:50:02.065Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:51:24.240399Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656322,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"419c9c07c999bc2c71e9c8e0d74b3977\\\",\\\"sha256Checksum\\\":\\\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:50:00.154Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61338_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b860517a-d359-5618-b9da-cbb484cb38e6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:50:02.065Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:50:00.154Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\",\"2021-09-16T19:52:28.142Z\",6656322,\"code42-exfil-share-datatype\",\"419c9c07c999bc2c71e9c8e0d74b3977\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:50:02.065Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7017112942517350907 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was deleted by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567358Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.746Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567358Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"nethost.h\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"SourceCode\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"SourceCode\\\",\\\"fileSize\\\":2709,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"43b6f3115aa52ad9540bdbe756e1a9b3\\\",\\\"sha256Checksum\\\":\\\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/x-chdr\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-071fc5f2-9af0-594f-8c83-88575846f14e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.746Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"SourceCode\",\"Endpoint\",\"nethost.h\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:38:56Z\",\"text/x-chdr\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"2021-09-16T19:20:29.170Z\",2709,\"code42-exfil-share-datatype\",\"43b6f3115aa52ad9540bdbe756e1a9b3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"SourceCode\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.746Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:38:56Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.772Z 804e3b095828 Skyformation - 5124683873500115467 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.077Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567459Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:19.063Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.772Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567459Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":450936,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"58a95b2ee03992ee00ce01ec759b00c8\\\",\\\"sha256Checksum\\\":\\\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:19.063Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:19.077Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-675576df-ceb0-5a0d-9bfc-3108c7890515\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:19.772Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"Test42Console-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:19.077Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"2021-09-16T19:20:29.169Z\",450936,\"code42-exfil-share-datatype\",\"58a95b2ee03992ee00ce01ec759b00c8\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.772Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:19.063Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.995Z 804e3b095828 Skyformation - 4477219442250454415 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711995 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.runtimeconfig.json fsize=146 msg=Resource [Resource: file :: Test42Console-8.2.3.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.527Z ext_md5Checksum=3f892e3babc6c74c9637579412fbd0c0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=146 ext_insertionTimestamp=2021-09-16T19:18:39.567426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.522Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.995Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567426Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.runtimeconfig.json\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Uncategorized\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":146,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3f892e3babc6c74c9637579412fbd0c0\\\",\\\"sha256Checksum\\\":\\\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.522Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.527Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/json\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a4735e80-2d88-5e48-8ae4-82cd2dea6439\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.995Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Test42Console-8.2.3.runtimeconfig.json\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.527Z\",\"application/json\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\",\"2021-09-16T19:20:29.172Z\",146,\"code42-exfil-share-datatype\",\"3f892e3babc6c74c9637579412fbd0c0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Uncategorized\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.995Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.522Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.806Z 804e3b095828 Skyformation - 8403369398149844084 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723806 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.806Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567302Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.806Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567302Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libmscordaccore.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2802552,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"854aa71660522e18506cc263cecea7e2\\\",\\\"sha256Checksum\\\":\\\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-02f5047e-64c3-5227-9027-ce0ddb3f83f9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:23.806Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libmscordaccore.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:31:44Z\",\"application/octet-stream\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"2021-09-16T19:20:29.169Z\",2802552,\"code42-exfil-share-datatype\",\"854aa71660522e18506cc263cecea7e2\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.806Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:31:44Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.999Z 804e3b095828 Skyformation - 8907642681921436779 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711999 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.999Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.646Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567448Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.629Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.999Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567448Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":450936,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"58a95b2ee03992ee00ce01ec759b00c8\\\",\\\"sha256Checksum\\\":\\\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.629Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.646Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1c5d953b-5212-5c47-8f16-8cdaa3e74600\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.999Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"Test42Console-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.646Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"2021-09-16T19:20:29.170Z\",450936,\"code42-exfil-share-datatype\",\"58a95b2ee03992ee00ce01ec759b00c8\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.999Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.629Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:50:02.626Z 804e3b095828 Skyformation - 7056838657966092182 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 dproc=file events dtz=default-tenant end=1631825402626 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:50:02.626Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:50:01.081Z ext_md5Checksum=0e3e512e4db31fdca7839138ea07c3cd ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658062 ext_insertionTimestamp=2021-09-16T20:51:13.592006Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:50:02.626Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:51:13.592006Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658062,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"0e3e512e4db31fdca7839138ea07c3cd\\\",\\\"sha256Checksum\\\":\\\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:50:01.081Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61345_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-95ca0967-17bd-5ba1-9638-937d30c72aa1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T20:50:02.626Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:50:01.081Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\",\"2021-09-16T20:52:28.713Z\",6658062,\"code42-exfil-share-datatype\",\"0e3e512e4db31fdca7839138ea07c3cd\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:50:02.626Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 1247614792973000445 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XPath.XDocument.dll fsize=7680 msg=Resource [Resource: file :: System.Xml.XPath.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XPath.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=82e06f761ac5ea823337cc0ea0d80265 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7680 ext_insertionTimestamp=2021-09-16T19:18:39.567046Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567046Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XPath.XDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7680,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"82e06f761ac5ea823337cc0ea0d80265\\\",\\\"sha256Checksum\\\":\\\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f6636ef7-9d0d-57a5-b89c-a4a08d818f4a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XPath.XDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\",\"2021-09-16T19:20:29.169Z\",7680,\"code42-exfil-share-datatype\",\"82e06f761ac5ea823337cc0ea0d80265\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:33:01.185Z 804e3b095828 Skyformation - 4460753087283045225 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 dproc=file events dtz=default-tenant end=1631831581185 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:33:01.185Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:33:00.790Z ext_md5Checksum=7075f5a9476afb66da2971d452418a61 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661049 ext_insertionTimestamp=2021-09-16T22:34:07.862615Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:33:01.185Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:34:07.862615Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661049,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"7075f5a9476afb66da2971d452418a61\\\",\\\"sha256Checksum\\\":\\\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:33:00.790Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61427_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b6618a95-257a-52f5-b542-b6a877095e4e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:33:01.185Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:33:00.790Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\",\"2021-09-16T22:36:29.677Z\",6661049,\"code42-exfil-share-datatype\",\"7075f5a9476afb66da2971d452418a61\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:33:01.185Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7158143674742709094 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567291Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.746Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567291Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libmscordaccore.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2802552,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"854aa71660522e18506cc263cecea7e2\\\",\\\"sha256Checksum\\\":\\\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8198bde8-0245-5e2a-93fc-59c66fb696e4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.746Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libmscordaccore.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:31:44Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"2021-09-16T19:20:29.169Z\",2802552,\"code42-exfil-share-datatype\",\"854aa71660522e18506cc263cecea7e2\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.746Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:31:44Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:22:01.088Z 804e3b095828 Skyformation - 4749241203676691576 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 dproc=file events dtz=default-tenant end=1631830921088 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:22:01.088Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:22:00.690Z ext_md5Checksum=8e515a38447fb49fafaa3e7170033bae ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660730 ext_insertionTimestamp=2021-09-16T22:23:15.723548Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:22:01.088Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:23:15.723548Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660730,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8e515a38447fb49fafaa3e7170033bae\\\",\\\"sha256Checksum\\\":\\\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:22:00.690Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61425_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ad96c6e7-6d2f-5df9-b6e7-d303a7b7f923\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:22:01.088Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:22:00.690Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\",\"2021-09-16T22:24:29.693Z\",6660730,\"code42-exfil-share-datatype\",\"8e515a38447fb49fafaa3e7170033bae\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:22:01.088Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 6416722578617098322 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-alert-service-rest-1.2.2.jar fsize=7019539 msg=Resource [Resource: file :: test42-fixture-code42-alert-service-rest-1.2.2.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-alert-service-rest-1.2.2.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.763Z ext_md5Checksum=df05453fe8178232379ca092d4b68707 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7019539 ext_insertionTimestamp=2021-09-16T19:18:39.567740Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.546Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567740Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-alert-service-rest-1.2.2.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7019539,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"df05453fe8178232379ca092d4b68707\\\",\\\"sha256Checksum\\\":\\\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:27.546Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:27.763Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-412a5023-44d2-5525-a625-4f57e9139e3c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-alert-service-rest-1.2.2.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:27.763Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\",\"2021-09-16T19:20:29.168Z\",7019539,\"code42-exfil-share-datatype\",\"df05453fe8178232379ca092d4b68707\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:27.546Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 462618621597382345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.137Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567927Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.822Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567927Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11047889,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"c32214157ad2def6a511701ce4e0a562\\\",\\\"sha256Checksum\\\":\\\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:31.822Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.137Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-97403b8e-6aff-5cd3-a460-803204a1cfc9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.137Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"2021-09-16T19:20:29.169Z\",11047889,\"code42-exfil-share-datatype\",\"c32214157ad2def6a511701ce4e0a562\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:31.822Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.076Z 804e3b095828 Skyformation - 58928744233355401 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724076 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.076Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567012Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.076Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567012Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Serialization.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"9f738865f15c0a0be0e20e709bc3d36d\\\",\\\"sha256Checksum\\\":\\\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-10061513-9751-5b3c-852f-d7df4246f094\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:24.076Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Serialization.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"2021-09-16T19:20:29.167Z\",6656,\"code42-exfil-share-datatype\",\"9f738865f15c0a0be0e20e709bc3d36d\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.076Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.805Z 804e3b095828 Skyformation - 3819734286974639827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723805 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.805Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567280Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.805Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567280Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libhostpolicy.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":315420,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"006913ffaf68f205cc00bd03cc0d3761\\\",\\\"sha256Checksum\\\":\\\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-452a4ed9-abce-5890-a830-82ddb5eaa49b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:23.805Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libhostpolicy.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:42:18Z\",\"application/octet-stream\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"2021-09-16T19:20:29.168Z\",315420,\"code42-exfil-share-datatype\",\"006913ffaf68f205cc00bd03cc0d3761\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.805Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:42:18Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:12:02.578Z 804e3b095828 Skyformation - 1251318046287163167 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 dproc=file events dtz=default-tenant end=1631826722578 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:12:02.578Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:12:00.729Z ext_md5Checksum=dbc1cb1cfb3298c65169ae22e5f6f7c3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658700 ext_insertionTimestamp=2021-09-16T21:12:39.659856Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:12:02.578Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:12:39.659856Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658700,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"dbc1cb1cfb3298c65169ae22e5f6f7c3\\\",\\\"sha256Checksum\\\":\\\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:12:00.729Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61383_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-762de8d1-3a28-5dc3-9b5a-a2f4a034504c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T21:12:02.578Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:12:00.729Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\",\"2021-09-16T21:14:30.111Z\",6658700,\"code42-exfil-share-datatype\",\"dbc1cb1cfb3298c65169ae22e5f6f7c3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:12:02.578Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:17.834Z 804e3b095828 Skyformation - 7862693865552891800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819717834 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:17.834Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.599Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567729Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.382Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:17.834Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567729Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7657197,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"61898b6da7ebbf3a13be7c76ae49e5f5\\\",\\\"sha256Checksum\\\":\\\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:17.382Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:17.599Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1f1a61cc-36a1-5d00-b37d-186d933c3aff\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:17.834Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:17.599Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"2021-09-16T19:20:29.170Z\",7657197,\"code42-exfil-share-datatype\",\"61898b6da7ebbf3a13be7c76ae49e5f5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:17.834Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:17.382Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4235368662387611807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567001Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567001Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Serialization.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"9f738865f15c0a0be0e20e709bc3d36d\\\",\\\"sha256Checksum\\\":\\\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cd2c1f21-0ba5-54a9-a265-cebe9ec4f240\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Serialization.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"2021-09-16T19:20:29.157Z\",6656,\"code42-exfil-share-datatype\",\"9f738865f15c0a0be0e20e709bc3d36d\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.064Z 804e3b095828 Skyformation - 4009757464107454250 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724064 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.064Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566878Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.064Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566878Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.ValueTuple.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":5632,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"749df27ac6199cfa7c4b38c78528d3c7\\\",\\\"sha256Checksum\\\":\\\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-87f5bd74-534f-5452-9443-5780f3c04592\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:24.064Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ValueTuple.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"2021-09-16T19:20:29.169Z\",5632,\"code42-exfil-share-datatype\",\"749df27ac6199cfa7c4b38c78528d3c7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.064Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-14468291-feda-589f-aff6-c26b375c9a21\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.159Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:17:02.424Z 804e3b095828 Skyformation - 1426281696218831775 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 dproc=file events dtz=default-tenant end=1631830622424 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:17:02.424Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:17:01.080Z ext_md5Checksum=45271570c0b4116a1346bc72d738bdb7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660585 ext_insertionTimestamp=2021-09-16T22:18:10.576136Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:17:02.424Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:18:10.576136Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660585,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"45271570c0b4116a1346bc72d738bdb7\\\",\\\"sha256Checksum\\\":\\\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:17:01.080Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61425_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4d8f5eeb-ef31-559e-bd07-4110d914aed6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:17:02.424Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:17:01.080Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\",\"2021-09-16T22:18:30.436Z\",6660585,\"code42-exfil-share-datatype\",\"45271570c0b4116a1346bc72d738bdb7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:17:02.424Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 7344986800471780939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.617Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568132Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.538Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.997Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568132Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"test42-console-8.2.3.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2573374,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"aa7ef1099a4cd7eb288430e0f8621b0c\\\",\\\"sha256Checksum\\\":\\\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.538Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.617Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-12273ce2-c1f1-56d6-940c-1caa8cc3def0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:15:11.997Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-console-8.2.3.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.617Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"2021-09-16T19:20:29.169Z\",2573374,\"code42-exfil-share-datatype\",\"aa7ef1099a4cd7eb288430e0f8621b0c\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.997Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.538Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:45:02.992Z 804e3b095828 Skyformation - 7407412671789166693 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 dproc=file events dtz=default-tenant end=1631821502992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:45:02.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:45:00.674Z ext_md5Checksum=fdd100bc2a43a9756c77a0f9bc9a6bb1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656177 ext_insertionTimestamp=2021-09-16T19:46:24.888007Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:45:02.992Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:46:24.888007Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656177,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fdd100bc2a43a9756c77a0f9bc9a6bb1\\\",\\\"sha256Checksum\\\":\\\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:45:00.674Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61335_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-031676c5-8fde-5d2f-a294-dcc4907a8027\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T19:45:02.992Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:45:00.674Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\",\"2021-09-16T19:46:29.180Z\",6656177,\"code42-exfil-share-datatype\",\"fdd100bc2a43a9756c77a0f9bc9a6bb1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:45:02.992Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages.\",\"type\":\"warning\",\"module\":\"Exabeam\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:46:07.457Z\",\"uuid\":\"194360e4-b8f2-44b6-9386-2d9df7a3a549\"}]", "short_description": "Exabeam_email", "omittedObservables": [], "archivedObservables": [{"key": "2dde50ee-8aa4-4e5b-83b7-465c8f586c94", "value": "kathy.kane@c42se.com", "indicators": [], "type": "email", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "eb1b756a", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "email", "value": "kathy.kane@c42se.com"}, "type": "warning", "action_id": "194360e4-b8f2-44b6-9386-2d9df7a3a549", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "kathy.kane@c42se.com", "id": "eb1b756a", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:45:02.992Z 804e3b095828 Skyformation - 7407412671789166693 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 dproc=file events dtz=default-tenant end=1631821502992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:45:02.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:45:00.674Z ext_md5Checksum=fdd100bc2a43a9756c77a0f9bc9a6bb1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656177 ext_insertionTimestamp=2021-09-16T19:46:24.888007Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:45:02.992Z\",\"insertionTimestamp\":\"2021-09-16T19:46:24.888007Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656177,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fdd100bc2a43a9756c77a0f9bc9a6bb1\",\"sha256Checksum\":\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:45:00.674Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:45:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-031676c5-8fde-5d2f-a294-dcc4907a8027", "observed_start_time": "2021-09-16T19:45:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:45:02.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:45:00.674Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b", "2021-09-16T19:46:29.180Z", 6656177, "code42-exfil-share-datatype", "fdd100bc2a43a9756c77a0f9bc9a6bb1", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:45:02.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 7344986800471780939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.617Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568132Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.538Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568132Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T14:29:32.538Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.617Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12273ce2-c1f1-56d6-940c-1caa8cc3def0", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.617Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.169Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.538Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:17:02.424Z 804e3b095828 Skyformation - 1426281696218831775 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 dproc=file events dtz=default-tenant end=1631830622424 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:17:02.424Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:17:01.080Z ext_md5Checksum=45271570c0b4116a1346bc72d738bdb7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660585 ext_insertionTimestamp=2021-09-16T22:18:10.576136Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:17:02.424Z\",\"insertionTimestamp\":\"2021-09-16T22:18:10.576136Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660585,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"45271570c0b4116a1346bc72d738bdb7\",\"sha256Checksum\":\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:17:01.080Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d8f5eeb-ef31-559e-bd07-4110d914aed6", "observed_start_time": "2021-09-16T22:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:17:02.424Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:17:01.080Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf", "2021-09-16T22:18:30.436Z", 6660585, "code42-exfil-share-datatype", "45271570c0b4116a1346bc72d738bdb7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:17:02.424Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-14468291-feda-589f-aff6-c26b375c9a21", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "1430cdb0-e2b9-48e8-b049-c6d851398a76", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.064Z 804e3b095828 Skyformation - 4009757464107454250 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724064 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.064Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566878Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.064Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566878Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87f5bd74-534f-5452-9443-5780f3c04592", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.064Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.064Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4235368662387611807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567001Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567001Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd2c1f21-0ba5-54a9-a265-cebe9ec4f240", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.157Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:17.834Z 804e3b095828 Skyformation - 7862693865552891800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819717834 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:17.834Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.599Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567729Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.382Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:17.834Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567729Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T19:15:17.382Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.599Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:17Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f1a61cc-36a1-5d00-b37d-186d933c3aff", "observed_start_time": "2021-09-16T19:15:17Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:17.834Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.599Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.170Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:17.834Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.382Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:12:02.578Z 804e3b095828 Skyformation - 1251318046287163167 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 dproc=file events dtz=default-tenant end=1631826722578 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:12:02.578Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:12:00.729Z ext_md5Checksum=dbc1cb1cfb3298c65169ae22e5f6f7c3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658700 ext_insertionTimestamp=2021-09-16T21:12:39.659856Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:12:02.578Z\",\"insertionTimestamp\":\"2021-09-16T21:12:39.659856Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658700,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dbc1cb1cfb3298c65169ae22e5f6f7c3\",\"sha256Checksum\":\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:12:00.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:12:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61383_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-762de8d1-3a28-5dc3-9b5a-a2f4a034504c", "observed_start_time": "2021-09-16T21:12:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:12:02.578Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:12:00.729Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86", "2021-09-16T21:14:30.111Z", 6658700, "code42-exfil-share-datatype", "dbc1cb1cfb3298c65169ae22e5f6f7c3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:12:02.578Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.805Z 804e3b095828 Skyformation - 3819734286974639827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723805 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.805Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567280Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.805Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567280Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-452a4ed9-abce-5890-a830-82ddb5eaa49b", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.805Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.168Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.805Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.076Z 804e3b095828 Skyformation - 58928744233355401 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724076 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.076Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567012Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.076Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567012Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-10061513-9751-5b3c-852f-d7df4246f094", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.076Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.167Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.076Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 462618621597382345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.137Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567927Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.822Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567927Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T14:29:31.822Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.137Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-97403b8e-6aff-5cd3-a460-803204a1cfc9", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.137Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.169Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.822Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 6416722578617098322 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-alert-service-rest-1.2.2.jar fsize=7019539 msg=Resource [Resource: file :: test42-fixture-code42-alert-service-rest-1.2.2.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-alert-service-rest-1.2.2.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.763Z ext_md5Checksum=df05453fe8178232379ca092d4b68707 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7019539 ext_insertionTimestamp=2021-09-16T19:18:39.567740Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.546Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567740Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-alert-service-rest-1.2.2.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7019539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"df05453fe8178232379ca092d4b68707\",\"sha256Checksum\":\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\",\"createTimestamp\":\"2021-09-16T14:29:27.546Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.763Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-412a5023-44d2-5525-a625-4f57e9139e3c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-alert-service-rest-1.2.2.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.763Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab", "2021-09-16T19:20:29.168Z", 7019539, "code42-exfil-share-datatype", "df05453fe8178232379ca092d4b68707", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.546Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:22:01.088Z 804e3b095828 Skyformation - 4749241203676691576 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 dproc=file events dtz=default-tenant end=1631830921088 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:22:01.088Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:22:00.690Z ext_md5Checksum=8e515a38447fb49fafaa3e7170033bae ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660730 ext_insertionTimestamp=2021-09-16T22:23:15.723548Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:22:01.088Z\",\"insertionTimestamp\":\"2021-09-16T22:23:15.723548Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660730,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8e515a38447fb49fafaa3e7170033bae\",\"sha256Checksum\":\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:22:00.690Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:22:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ad96c6e7-6d2f-5df9-b6e7-d303a7b7f923", "observed_start_time": "2021-09-16T22:22:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a7fd941d-edea-4706-9699-2a2f79ca15d2", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:22:01.088Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:22:00.690Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f", "2021-09-16T22:24:29.693Z", 6660730, "code42-exfil-share-datatype", "8e515a38447fb49fafaa3e7170033bae", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:22:01.088Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7158143674742709094 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567291Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567291Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8198bde8-0245-5e2a-93fc-59c66fb696e4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:33:01.185Z 804e3b095828 Skyformation - 4460753087283045225 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 dproc=file events dtz=default-tenant end=1631831581185 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:33:01.185Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:33:00.790Z ext_md5Checksum=7075f5a9476afb66da2971d452418a61 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661049 ext_insertionTimestamp=2021-09-16T22:34:07.862615Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:33:01.185Z\",\"insertionTimestamp\":\"2021-09-16T22:34:07.862615Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661049,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7075f5a9476afb66da2971d452418a61\",\"sha256Checksum\":\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:33:00.790Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b6618a95-257a-52f5-b542-b6a877095e4e", "observed_start_time": "2021-09-16T22:33:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "aa545d84-3600-423b-b4c0-36ff943bb68d", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:33:01.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:33:00.790Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7", "2021-09-16T22:36:29.677Z", 6661049, "code42-exfil-share-datatype", "7075f5a9476afb66da2971d452418a61", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:33:01.185Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 1247614792973000445 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XPath.XDocument.dll fsize=7680 msg=Resource [Resource: file :: System.Xml.XPath.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XPath.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=82e06f761ac5ea823337cc0ea0d80265 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7680 ext_insertionTimestamp=2021-09-16T19:18:39.567046Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567046Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XPath.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7680,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"82e06f761ac5ea823337cc0ea0d80265\",\"sha256Checksum\":\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f6636ef7-9d0d-57a5-b89c-a4a08d818f4a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XPath.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec", "2021-09-16T19:20:29.169Z", 7680, "code42-exfil-share-datatype", "82e06f761ac5ea823337cc0ea0d80265", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:50:02.626Z 804e3b095828 Skyformation - 7056838657966092182 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 dproc=file events dtz=default-tenant end=1631825402626 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:50:02.626Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:50:01.081Z ext_md5Checksum=0e3e512e4db31fdca7839138ea07c3cd ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658062 ext_insertionTimestamp=2021-09-16T20:51:13.592006Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:50:02.626Z\",\"insertionTimestamp\":\"2021-09-16T20:51:13.592006Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658062,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0e3e512e4db31fdca7839138ea07c3cd\",\"sha256Checksum\":\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:50:01.081Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-95ca0967-17bd-5ba1-9638-937d30c72aa1", "observed_start_time": "2021-09-16T20:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:50:02.626Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:50:01.081Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723", "2021-09-16T20:52:28.713Z", 6658062, "code42-exfil-share-datatype", "0e3e512e4db31fdca7839138ea07c3cd", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:50:02.626Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.999Z 804e3b095828 Skyformation - 8907642681921436779 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711999 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.999Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.646Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567448Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.629Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.999Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567448Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T14:29:32.629Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.646Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c5d953b-5212-5c47-8f16-8cdaa3e74600", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.999Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.646Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.170Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.999Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.629Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.806Z 804e3b095828 Skyformation - 8403369398149844084 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723806 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.806Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567302Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.806Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567302Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02f5047e-64c3-5227-9027-ce0ddb3f83f9", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.806Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.806Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.995Z 804e3b095828 Skyformation - 4477219442250454415 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711995 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.runtimeconfig.json fsize=146 msg=Resource [Resource: file :: Test42Console-8.2.3.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.527Z ext_md5Checksum=3f892e3babc6c74c9637579412fbd0c0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=146 ext_insertionTimestamp=2021-09-16T19:18:39.567426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.522Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.995Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":146,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3f892e3babc6c74c9637579412fbd0c0\",\"sha256Checksum\":\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\",\"createTimestamp\":\"2021-09-16T14:29:32.522Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a4735e80-2d88-5e48-8ae4-82cd2dea6439", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console-8.2.3.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.527Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2", "2021-09-16T19:20:29.172Z", 146, "code42-exfil-share-datatype", "3f892e3babc6c74c9637579412fbd0c0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.522Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.772Z 804e3b095828 Skyformation - 5124683873500115467 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.077Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567459Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:19.063Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567459Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T19:15:19.063Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.077Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-675576df-ceb0-5a0d-9bfc-3108c7890515", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.077Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.169Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:19.063Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7017112942517350907 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was deleted by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567358Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567358Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-071fc5f2-9af0-594f-8c83-88575846f14e", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "DELETED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.170Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:50:02.065Z 804e3b095828 Skyformation - 8498846088421542075 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 dproc=file events dtz=default-tenant end=1631821802065 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:50:02.065Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:50:00.154Z ext_md5Checksum=419c9c07c999bc2c71e9c8e0d74b3977 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656322 ext_insertionTimestamp=2021-09-16T19:51:24.240399Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:50:02.065Z\",\"insertionTimestamp\":\"2021-09-16T19:51:24.240399Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656322,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"419c9c07c999bc2c71e9c8e0d74b3977\",\"sha256Checksum\":\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:50:00.154Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b860517a-d359-5618-b9da-cbb484cb38e6", "observed_start_time": "2021-09-16T19:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:50:02.065Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:50:00.154Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb", "2021-09-16T19:52:28.142Z", 6656322, "code42-exfil-share-datatype", "419c9c07c999bc2c71e9c8e0d74b3977", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:50:02.065Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:23:01.314Z 804e3b095828 Skyformation - 930370924908933384 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 dproc=file events dtz=default-tenant end=1631820181314 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:23:01.314Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:23:00.067Z ext_md5Checksum=8ce945a5034d673a8c3df84df944e9e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655539 ext_insertionTimestamp=2021-09-16T19:24:05.872543Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:23:01.314Z\",\"insertionTimestamp\":\"2021-09-16T19:24:05.872543Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8ce945a5034d673a8c3df84df944e9e2\",\"sha256Checksum\":\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:23:00.067Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61298_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edf54539-1473-5d66-97c1-f95cf9899b35", "observed_start_time": "2021-09-16T19:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:23:01.314Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:23:00.067Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f", "2021-09-16T19:24:29.929Z", 6655539, "code42-exfil-share-datatype", "8ce945a5034d673a8c3df84df944e9e2", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:23:01.314Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:27.623Z 804e3b095828 Skyformation - 3964934661273873169 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819727623 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was created by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:27.623Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:27.409Z ext_md5Checksum=232b292616f09cef3e0e8ba9805a2963 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568099Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:27.408Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:27.623Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568099Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"232b292616f09cef3e0e8ba9805a2963\",\"sha256Checksum\":\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\",\"createTimestamp\":\"2021-09-16T19:15:27.408Z\",\"modifyTimestamp\":\"2021-09-16T19:15:27.409Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e09b581-9e7d-5195-8a38-88102b9c437d", "observed_start_time": "2021-09-16T19:15:27Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:27.623Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:27.409Z", "application/x-sh", "CREATED", "162.222.47.183", "kathy.kane", "88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "232b292616f09cef3e0e8ba9805a2963", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:27.623Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:27.408Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:01:00.819Z 804e3b095828 Skyformation - 4261722877678484633 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 dproc=file events dtz=default-tenant end=1631826060819 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:01:00.819Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:01:00.560Z ext_md5Checksum=da192fa26ed85e10ce7bb718251110ad ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658381 ext_insertionTimestamp=2021-09-16T21:01:47.308430Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:01:00.819Z\",\"insertionTimestamp\":\"2021-09-16T21:01:47.308430Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658381,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"da192fa26ed85e10ce7bb718251110ad\",\"sha256Checksum\":\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:01:00.560Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:01:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7711c718-0e21-5675-bb34-071d60939878", "observed_start_time": "2021-09-16T21:01:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:01:00.819Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T21:01:00.560Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53", "2021-09-16T21:02:28.778Z", 6658381, "code42-exfil-share-datatype", "da192fa26ed85e10ce7bb718251110ad", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:01:00.819Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 6610991199308768678 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567179Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567179Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-85a1f9cb-fdf2-5bd3-8178-3d11c1f5cec4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.168Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 2798890335140955527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567023Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567023Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ede94b18-04d2-554a-90e6-ab609600fa70", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.078Z 804e3b095828 Skyformation - 7299018334312800224 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724078 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.078Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567035Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.078Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567035Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f91637db-83e4-5758-b551-7c227aba1a5d", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.078Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.168Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.078Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:28:01.712Z 804e3b095828 Skyformation - 891655873053505721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 dproc=file events dtz=default-tenant end=1631827681712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:28:01.712Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:28:00.665Z ext_md5Checksum=043ea115b4517db2f0aa7c5853f7385b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659164 ext_insertionTimestamp=2021-09-16T21:28:58.572803Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:28:01.712Z\",\"insertionTimestamp\":\"2021-09-16T21:28:58.572803Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659164,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"043ea115b4517db2f0aa7c5853f7385b\",\"sha256Checksum\":\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:28:00.665Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:28:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d5a79131-010e-5b41-9357-c3586091d05e", "observed_start_time": "2021-09-16T21:28:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:28:01.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:28:00.665Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4", "2021-09-16T21:30:29.019Z", 6659164, "code42-exfil-share-datatype", "043ea115b4517db2f0aa7c5853f7385b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:28:01.712Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.033Z 804e3b095828 Skyformation - 5428778102527363807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712033 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.033Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.287Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567537Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.033Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567537Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T14:29:26.269Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.287Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-04487d78-acfd-5735-a210-f113f8855f9c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.287Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.169Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.033Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d9f33fa-cc28-5fe5-9975-5003f91369d6", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "b5e047b0-70bf-4cda-9513-e3fb2fffd016", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:06:01.028Z 804e3b095828 Skyformation - 8997259429135136842 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 dproc=file events dtz=default-tenant end=1631829961028 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:06:01.028Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:06:00.773Z ext_md5Checksum=e3826febfa687b19d431037a05e3d695 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660266 ext_insertionTimestamp=2021-09-16T22:06:57.577426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:06:01.028Z\",\"insertionTimestamp\":\"2021-09-16T22:06:57.577426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660266,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e3826febfa687b19d431037a05e3d695\",\"sha256Checksum\":\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:06:00.773Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61424_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0c80d806-8279-587b-8b43-c95ce2fcdd89", "observed_start_time": "2021-09-16T22:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:06:01.028Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:06:00.773Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6", "2021-09-16T22:08:29.515Z", 6660266, "code42-exfil-share-datatype", "e3826febfa687b19d431037a05e3d695", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:06:01.028Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:01:01.612Z 804e3b095828 Skyformation - 5476861324589104236 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 dproc=file events dtz=default-tenant end=1631829661612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:01:01.612Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:01:00.223Z ext_md5Checksum=aa34550e46232e041e8738f575568b63 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660121 ext_insertionTimestamp=2021-09-16T22:01:32.790174Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:01:01.612Z\",\"insertionTimestamp\":\"2021-09-16T22:01:32.790174Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660121,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa34550e46232e041e8738f575568b63\",\"sha256Checksum\":\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:01:00.223Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f05d117-a06c-5922-8649-7708e4d80765", "observed_start_time": "2021-09-16T22:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:01:01.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:01:00.223Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530", "2021-09-16T22:04:30.120Z", 6660121, "code42-exfil-share-datatype", "aa34550e46232e041e8738f575568b63", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:01:01.612Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:39:03.445Z 804e3b095828 Skyformation - 2624752478966021475 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 dproc=file events dtz=default-tenant end=1631821143445 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:39:03.445Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:39:01.028Z ext_md5Checksum=2f0e54e1e35e34e9a4b6c5b586789edf ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656003 ext_insertionTimestamp=2021-09-16T19:40:23.773101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:39:03.445Z\",\"insertionTimestamp\":\"2021-09-16T19:40:23.773101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656003,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2f0e54e1e35e34e9a4b6c5b586789edf\",\"sha256Checksum\":\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:39:01.028Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:39:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d473561a-d486-58d7-9d54-79dca5b2d69e", "observed_start_time": "2021-09-16T19:39:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:39:03.445Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:39:01.028Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534", "2021-09-16T19:40:28.880Z", 6656003, "code42-exfil-share-datatype", "2f0e54e1e35e34e9a4b6c5b586789edf", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:39:03.445Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:55:01.913Z 804e3b095828 Skyformation - 1768128187348227515 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 dproc=file events dtz=default-tenant end=1631829301913 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:55:01.913Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:55:00.543Z ext_md5Checksum=dc00517c1ea40d76a86ac0775630315b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659947 ext_insertionTimestamp=2021-09-16T21:56:06.248063Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:55:01.913Z\",\"insertionTimestamp\":\"2021-09-16T21:56:06.248063Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659947,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dc00517c1ea40d76a86ac0775630315b\",\"sha256Checksum\":\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:55:00.543Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61422_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-15c0c9b0-6bdf-53a1-add0-1f2928d4286d", "observed_start_time": "2021-09-16T21:55:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:55:01.913Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:55:00.543Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37", "2021-09-16T21:58:29.321Z", 6659947, "code42-exfil-share-datatype", "dc00517c1ea40d76a86ac0775630315b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:55:01.913Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:17:01.240Z 804e3b095828 Skyformation - 6379287197034431494 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 dproc=file events dtz=default-tenant end=1631827021240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:17:01.240Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:17:00.229Z ext_md5Checksum=37d786d2ffe3997a1a4913f817e1163c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658845 ext_insertionTimestamp=2021-09-16T21:18:05.961899Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:17:01.240Z\",\"insertionTimestamp\":\"2021-09-16T21:18:05.961899Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658845,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"37d786d2ffe3997a1a4913f817e1163c\",\"sha256Checksum\":\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:17:00.229Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:17:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61401_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e4fc7d1-49ea-5c9b-bca5-6f1b79386f29", "observed_start_time": "2021-09-16T21:17:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:17:01.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:17:00.229Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817", "2021-09-16T21:18:29.165Z", 6658845, "code42-exfil-share-datatype", "37d786d2ffe3997a1a4913f817e1163c", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:17:01.240Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 7619218699635329950 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567201Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567201Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66849bfc-3193-508e-8ee8-6bb759846345", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.167Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:06:01.487Z 804e3b095828 Skyformation - 6710622959611147958 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 dproc=file events dtz=default-tenant end=1631826361487 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:06:01.487Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:06:00.163Z ext_md5Checksum=60bf5e7434748875904b3d240e9933b7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658526 ext_insertionTimestamp=2021-09-16T21:07:13.335410Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:06:01.487Z\",\"insertionTimestamp\":\"2021-09-16T21:07:13.335410Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658526,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"60bf5e7434748875904b3d240e9933b7\",\"sha256Checksum\":\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:06:00.163Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61346_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-367d899b-650f-51b4-a6a1-0534a3961b75", "observed_start_time": "2021-09-16T21:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:06:01.487Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:06:00.163Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba", "2021-09-16T21:08:28.978Z", 6658526, "code42-exfil-share-datatype", "60bf5e7434748875904b3d240e9933b7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:06:01.487Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:34:01.736Z 804e3b095828 Skyformation - 2573052291884632109 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 dproc=file events dtz=default-tenant end=1631820841736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:34:01.736Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:34:00.437Z ext_md5Checksum=5082d25b519827369f4026d1de2ee6ca ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655858 ext_insertionTimestamp=2021-09-16T19:34:57.134540Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:34:01.736Z\",\"insertionTimestamp\":\"2021-09-16T19:34:57.134540Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655858,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5082d25b519827369f4026d1de2ee6ca\",\"sha256Checksum\":\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:34:00.437Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d0c40d9-1a17-5018-b60d-c3342b98c94c", "observed_start_time": "2021-09-16T19:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:34:01.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:34:00.437Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b", "2021-09-16T19:36:28.977Z", 6655858, "code42-exfil-share-datatype", "5082d25b519827369f4026d1de2ee6ca", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:34:01.736Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 2397866919275056029 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Web.HttpUtility.dll fsize=36864 msg=Resource [Resource: file :: System.Web.HttpUtility.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Web.HttpUtility.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=306b1de856625f7499d783f7b4b79f38 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36864 ext_insertionTimestamp=2021-09-16T19:18:39.566889Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566889Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Web.HttpUtility.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36864,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"306b1de856625f7499d783f7b4b79f38\",\"sha256Checksum\":\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-811d4e91-e46b-5844-9af9-7c850abf3da3", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Web.HttpUtility.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8", "2021-09-16T19:20:29.168Z", 36864, "code42-exfil-share-datatype", "306b1de856625f7499d783f7b4b79f38", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 58574569231396443 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.487Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567858Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.287Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567858Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T14:29:27.287Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.487Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2080f524-24c7-5036-968e-df2b85f1b54f", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.487Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.170Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.287Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.747Z 804e3b095828 Skyformation - 6719904774936520368 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711747 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.747Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567380Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.747Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567380Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c9d9285-5d31-550b-a4b2-9fd3d3b8a388", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.747Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.171Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.747Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.996Z 804e3b095828 Skyformation - 3176029036093175203 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711996 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-runtime-3.1.2-osx-x64.tar.gz fsize=29915862 msg=Resource [Resource: file :: dotnet-runtime-3.1.2-osx-x64.tar.gz] was deleted by [kathy.kane@c42se.com] proto=gz requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.996Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-runtime-3.1.2-osx-x64.tar.gz ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/gzip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:36.132Z ext_md5Checksum=f83a55de32ce1a89fb5b123257830cba ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=29915862 ext_insertionTimestamp=2021-09-16T19:18:39.567560Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:35.234Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/gzip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.996Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567560Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-runtime-3.1.2-osx-x64.tar.gz\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":29915862,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f83a55de32ce1a89fb5b123257830cba\",\"sha256Checksum\":\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\",\"createTimestamp\":\"2021-09-16T14:29:35.234Z\",\"modifyTimestamp\":\"2021-09-16T14:29:36.132Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/gzip\",\"mimeTypeByExtension\":\"application/gzip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2b217573-785b-532d-860e-9598234213e8", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.996Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-runtime-3.1.2-osx-x64.tar.gz", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:36.132Z", "application/gzip", "DELETED", "162.222.47.183", "kathy.kane", "782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855", "2021-09-16T19:20:29.167Z", 29915862, "code42-exfil-share-datatype", "f83a55de32ce1a89fb5b123257830cba", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.996Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:35.234Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 3843752372852811386 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.005Z ext_md5Checksum=2d2bf0d9382070b7cca29a72b3936e5d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.005Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2d2bf0d9382070b7cca29a72b3936e5d\",\"sha256Checksum\":\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\",\"createTimestamp\":\"2021-09-16T14:29:41.005Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.005Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bf1190c9-a884-5c2a-bb2c-2795c5d957d1", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.005Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "2d2bf0d9382070b7cca29a72b3936e5d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.005Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 2213325285618451753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.446Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568020Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568020Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T14:29:31.221Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.446Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd8f9d6d-f964-5596-b969-1adc4cbab814", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.446Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.167Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:34:01.973Z 804e3b095828 Skyformation - 2524988023863085362 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 dproc=file events dtz=default-tenant end=1631824441973 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:34:01.973Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:34:00.215Z ext_md5Checksum=ff960d04995e3896e1e5f9b9280fa4ab ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657598 ext_insertionTimestamp=2021-09-16T20:34:41.194795Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:34:01.973Z\",\"insertionTimestamp\":\"2021-09-16T20:34:41.194795Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657598,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ff960d04995e3896e1e5f9b9280fa4ab\",\"sha256Checksum\":\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:34:00.215Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cab0f6ad-bf33-5b50-a385-5e8c1204635d", "observed_start_time": "2021-09-16T20:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:34:01.973Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:34:00.215Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f", "2021-09-16T20:36:28.548Z", 6657598, "code42-exfil-share-datatype", "ff960d04995e3896e1e5f9b9280fa4ab", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:34:01.973Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 9109378012419032857 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.dll fsize=54784 msg=Resource [Resource: file :: Test42Console-8.2.3.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.508Z ext_md5Checksum=d69ac3af560428f6948dc20b997161ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=54784 ext_insertionTimestamp=2021-09-16T19:18:39.567403Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.502Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567403Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":54784,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d69ac3af560428f6948dc20b997161ee\",\"sha256Checksum\":\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\",\"createTimestamp\":\"2021-09-16T14:29:32.502Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.508Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-71cfb374-ab6b-5662-ab30-1b3fb949df3c", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Test42Console-8.2.3.dll", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.508Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43", "2021-09-16T19:20:29.167Z", 54784, "code42-exfil-share-datatype", "d69ac3af560428f6948dc20b997161ee", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.502Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.818Z 804e3b095828 Skyformation - 1887769325684873078 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723818 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=mscorlib.dll fsize=57216 msg=Resource [Resource: file :: mscorlib.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.818Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=mscorlib.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T18:07:34Z ext_md5Checksum=9720675697af7ba93cd049a9b7f757ef ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=57216 ext_insertionTimestamp=2021-09-16T19:18:39.567347Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T18:07:34Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.818Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567347Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"mscorlib.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":57216,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9720675697af7ba93cd049a9b7f757ef\",\"sha256Checksum\":\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\",\"createTimestamp\":\"2020-01-17T18:07:34Z\",\"modifyTimestamp\":\"2020-01-17T18:07:34Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccf85660-82e2-5086-a281-3206e1b2858e", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.818Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorlib.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T18:07:34Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c", "2021-09-16T19:20:29.167Z", 57216, "code42-exfil-share-datatype", "9720675697af7ba93cd049a9b7f757ef", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.818Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T18:07:34Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4770681899815013348 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566957Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566957Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e5d743d0-0232-5b8e-b0cb-1edd0490dd9f", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.170Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 4590047523480219385 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.338Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567627Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.318Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567627Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T14:29:32.318Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.338Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e9f4477-1d64-576f-b3a8-241c6015add6", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.338Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.166Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.318Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:33:01.545Z 804e3b095828 Skyformation - 7073850292788359537 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 dproc=file events dtz=default-tenant end=1631827981545 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:33:01.545Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:33:00.213Z ext_md5Checksum=20d1f8a835b0834eb7b5d80569deed62 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659309 ext_insertionTimestamp=2021-09-16T21:34:24.032240Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:33:01.545Z\",\"insertionTimestamp\":\"2021-09-16T21:34:24.032240Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659309,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"20d1f8a835b0834eb7b5d80569deed62\",\"sha256Checksum\":\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:33:00.213Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5369c67b-c8ed-5b7f-81d6-ec60324367ab", "observed_start_time": "2021-09-16T21:33:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:33:01.545Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:33:00.213Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c", "2021-09-16T21:34:28.994Z", 6659309, "code42-exfil-share-datatype", "20d1f8a835b0834eb7b5d80569deed62", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:33:01.545Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 146293528143524055 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566867Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566867Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1abdcd59-cf9e-5f35-bf4b-d2994605bd55", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.755Z 804e3b095828 Skyformation - 1836552121230087232 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719755 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.755Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.755Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567661Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.736Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.755Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567661Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T19:15:18.736Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.755Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-28195e6b-c15a-559b-a699-d2f6641591b7", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.755Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.755Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.157Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.755Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.736Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:44:01.388Z 804e3b095828 Skyformation - 1266689014865399645 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 dproc=file events dtz=default-tenant end=1631832241388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:44:01.388Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:44:00.938Z ext_md5Checksum=b40c0a5ea13afe384316a54705f0d1b4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661368 ext_insertionTimestamp=2021-09-16T22:44:58.435091Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:44:01.388Z\",\"insertionTimestamp\":\"2021-09-16T22:44:58.435091Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661368,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b40c0a5ea13afe384316a54705f0d1b4\",\"sha256Checksum\":\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:44:00.938Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:44:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d639f22b-9cff-59ed-9021-3ad255581d0e", "observed_start_time": "2021-09-16T22:44:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a996d996-7445-4022-a863-c1845dab62f5", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:44:01.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:44:00.938Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d", "2021-09-16T22:46:30.421Z", 6661368, "code42-exfil-share-datatype", "b40c0a5ea13afe384316a54705f0d1b4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:44:01.388Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.770Z 804e3b095828 Skyformation - 6071486703917102800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718770 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.770Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.840Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567818Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.648Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.770Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567818Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T19:15:17.648Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.840Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08118857-1290-5488-af20-857c21d6bdd1", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.770Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.840Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.169Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.770Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.648Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.079Z 804e3b095828 Skyformation - 5370534398414402294 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724079 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XmlDocument.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.XmlDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.079Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=447d8892131a4e11ea225e3b1ffe34b1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.079Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"447d8892131a4e11ea225e3b1ffe34b1\",\"sha256Checksum\":\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f80475c4-c69b-58e5-a9ed-33af9056766f", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.079Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe", "2021-09-16T19:20:29.171Z", 6656, "code42-exfil-share-datatype", "447d8892131a4e11ea225e3b1ffe34b1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.079Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:56:02.173Z 804e3b095828 Skyformation - 7188922889508140062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 dproc=file events dtz=default-tenant end=1631822162173 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:56:02.173Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:56:00.923Z ext_md5Checksum=fc552e5a9046ea13a5d6106e2b2f9b76 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656496 ext_insertionTimestamp=2021-09-16T19:56:39.322640Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:56:02.173Z\",\"insertionTimestamp\":\"2021-09-16T19:56:39.322640Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656496,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fc552e5a9046ea13a5d6106e2b2f9b76\",\"sha256Checksum\":\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:56:00.923Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:56:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5b13a540-ce0b-5885-ac3e-33c0b65dba06", "observed_start_time": "2021-09-16T19:56:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:56:02.173Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:56:00.923Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4", "2021-09-16T19:58:28.306Z", 6656496, "code42-exfil-share-datatype", "fc552e5a9046ea13a5d6106e2b2f9b76", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:56:02.173Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.074Z 804e3b095828 Skyformation - 8477448688941154930 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724074 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.074Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566968Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.074Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566968Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e28b082b-fc8d-5d89-9b34-4381e18289c2", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.074Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.074Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:11:00.794Z 804e3b095828 Skyformation - 2404635122291901530 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 dproc=file events dtz=default-tenant end=1631830260794 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:11:00.794Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:11:00.379Z ext_md5Checksum=951245aef74b1e8b33f4500e499e686a ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660411 ext_insertionTimestamp=2021-09-16T22:12:24.819165Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:11:00.794Z\",\"insertionTimestamp\":\"2021-09-16T22:12:24.819165Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660411,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"951245aef74b1e8b33f4500e499e686a\",\"sha256Checksum\":\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:11:00.379Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:11:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cfed350e-a44b-53ce-b882-dc197c8f62b6", "observed_start_time": "2021-09-16T22:11:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:11:00.794Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:11:00.379Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da", "2021-09-16T22:12:29.328Z", 6660411, "code42-exfil-share-datatype", "951245aef74b1e8b33f4500e499e686a", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:11:00.794Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 8233299408064618554 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567268Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567268Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61262_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b22fa99e-4961-5cd7-94d9-94743bc7cc5a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.158Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:28:03.165Z 804e3b095828 Skyformation - 4940785117334694295 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 dproc=file events dtz=default-tenant end=1631824083165 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:28:03.165Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:28:00.813Z ext_md5Checksum=d4b2584cc8639725ef1a77f10489af6e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657424 ext_insertionTimestamp=2021-09-16T20:29:14.653406Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:28:03.165Z\",\"insertionTimestamp\":\"2021-09-16T20:29:14.653406Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657424,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d4b2584cc8639725ef1a77f10489af6e\",\"sha256Checksum\":\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:28:00.813Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:28:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91bf6af3-6d39-5a96-81d4-c4908b781523", "observed_start_time": "2021-09-16T20:28:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:28:03.165Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:28:00.813Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4", "2021-09-16T20:30:28.534Z", 6657424, "code42-exfil-share-datatype", "d4b2584cc8639725ef1a77f10489af6e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:28:03.165Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 8309860196715459145 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.239Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567649Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.212Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567649Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T14:29:32.212Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.239Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e24644f-f291-5bd2-bc35-86a9b5d0b7a3", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.239Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.169Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.212Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:55:02.138Z 804e3b095828 Skyformation - 729364201181628912 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 dproc=file events dtz=default-tenant end=1631825702138 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:55:02.138Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:55:00.753Z ext_md5Checksum=63d8ad93f3a8ccf161c446bd00ebe0ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658207 ext_insertionTimestamp=2021-09-16T20:56:21.765014Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:55:02.138Z\",\"insertionTimestamp\":\"2021-09-16T20:56:21.765014Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"63d8ad93f3a8ccf161c446bd00ebe0ee\",\"sha256Checksum\":\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:55:00.753Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-288534d9-fd19-501f-a62b-9ccd21200713", "observed_start_time": "2021-09-16T20:55:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:55:02.138Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:55:00.753Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e", "2021-09-16T20:58:28.798Z", 6658207, "code42-exfil-share-datatype", "63d8ad93f3a8ccf161c446bd00ebe0ee", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:55:02.138Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 8983082904017481833 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:28.729Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567951Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.871Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567951Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T14:29:27.871Z\",\"modifyTimestamp\":\"2021-09-16T14:29:28.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea36b47c-6754-5ecf-931a-a6132c50aa22", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:28.729Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.170Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.871Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:12:03.215Z 804e3b095828 Skyformation - 6886991114765220858 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 dproc=file events dtz=default-tenant end=1631823123215 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:12:03.215Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:12:00.952Z ext_md5Checksum=326e1e96ac5b97f92334ae3ed0af00a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656960 ext_insertionTimestamp=2021-09-16T20:12:57.237021Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:12:03.215Z\",\"insertionTimestamp\":\"2021-09-16T20:12:57.237021Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656960,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"326e1e96ac5b97f92334ae3ed0af00a9\",\"sha256Checksum\":\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:12:00.952Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:12:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4187d125-6fed-5e14-872a-e781ac9c07c7", "observed_start_time": "2021-09-16T20:12:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:12:03.215Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:12:00.952Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc", "2021-09-16T20:14:29.101Z", 6656960, "code42-exfil-share-datatype", "326e1e96ac5b97f92334ae3ed0af00a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:12:03.215Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 3519140269928418882 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.847Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567807Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.631Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567807Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T14:29:30.631Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.847Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c15684c1-40f1-5e8d-a549-ec971abac766", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.847Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.168Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.631Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:39:02.995Z 804e3b095828 Skyformation - 2457476870350379974 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 dproc=file events dtz=default-tenant end=1631824742995 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:39:02.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:39:00.749Z ext_md5Checksum=c777bda26af371c784639bf97c796a30 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657743 ext_insertionTimestamp=2021-09-16T20:40:03.955501Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:39:02.995Z\",\"insertionTimestamp\":\"2021-09-16T20:40:03.955501Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657743,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c777bda26af371c784639bf97c796a30\",\"sha256Checksum\":\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:39:00.749Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:39:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61342_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fd13adc-a57f-52b3-afec-f4d6286a241e", "observed_start_time": "2021-09-16T20:39:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:39:02.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:39:00.749Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a", "2021-09-16T20:40:29.204Z", 6657743, "code42-exfil-share-datatype", "c777bda26af371c784639bf97c796a30", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:39:02.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.898Z 804e3b095828 Skyformation - 4866351305492022215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715898 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.898Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:16.117Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567962Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.422Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.898Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567962Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T19:15:15.422Z\",\"modifyTimestamp\":\"2021-09-16T19:15:16.117Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f72d64ad-9c47-5fe9-abad-e1411db140d1", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.898Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:16.117Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.168Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.898Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.422Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:17:02.470Z 804e3b095828 Skyformation - 3355602177351257247 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 dproc=file events dtz=default-tenant end=1631823422470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:17:02.470Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:17:00.510Z ext_md5Checksum=79e223064e50c50dc63e89e30862e8f4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657105 ext_insertionTimestamp=2021-09-16T20:18:24.025397Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:17:02.470Z\",\"insertionTimestamp\":\"2021-09-16T20:18:24.025397Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"79e223064e50c50dc63e89e30862e8f4\",\"sha256Checksum\":\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:17:00.510Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6d5a20a2-f50e-5f19-a010-b1be1e470e1d", "observed_start_time": "2021-09-16T20:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:17:02.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:17:00.510Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3", "2021-09-16T20:20:29.219Z", 6657105, "code42-exfil-share-datatype", "79e223064e50c50dc63e89e30862e8f4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:17:02.470Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.801Z 804e3b095828 Skyformation - 621632533739725350 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723801 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.801Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567212Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.801Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567212Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4ae4ea8f-75b0-5f70-bab5-178877150abf", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.801Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.158Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.801Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:49:02.292Z 804e3b095828 Skyformation - 1350603041899679478 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 dproc=file events dtz=default-tenant end=1631832542292 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:49:02.292Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:49:00.527Z ext_md5Checksum=e36e7a007a335fab0b5c84fd64dfdccc ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661513 ext_insertionTimestamp=2021-09-16T22:50:23.782238Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:49:02.292Z\",\"insertionTimestamp\":\"2021-09-16T22:50:23.782238Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661513,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e36e7a007a335fab0b5c84fd64dfdccc\",\"sha256Checksum\":\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:49:00.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:49:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61444_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-af4fbb0a-af39-5538-9106-9b2db2646476", "observed_start_time": "2021-09-16T22:49:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "e6bed5f8-b4eb-48c3-a7d6-93dcd222e271", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:49:02.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:49:00.527Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca", "2021-09-16T22:52:31.870Z", 6661513, "code42-exfil-share-datatype", "e36e7a007a335fab0b5c84fd64dfdccc", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:49:02.292Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.761Z 804e3b095828 Skyformation - 2980995002300610810 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719761 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.761Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.832Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567638Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.812Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.761Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567638Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T19:15:18.812Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.832Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c978eb4a-4e5b-5e42-870b-1d5172367949", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.761Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.832Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.168Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.761Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.812Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.897Z 804e3b095828 Skyformation - 5723685368446080373 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715897 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar fsize=41227 msg=Resource [Resource: file :: test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.897Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.419Z ext_md5Checksum=e98fb5f87aed64e2d32116bc565d2dec ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=41227 ext_insertionTimestamp=2021-09-16T19:18:39.567796Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.414Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.897Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567796Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":41227,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e98fb5f87aed64e2d32116bc565d2dec\",\"sha256Checksum\":\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\",\"createTimestamp\":\"2021-09-16T19:15:15.414Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.419Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4386ebf1-b7bd-5cc7-9d76-25107a9a2069", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.897Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.419Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806", "2021-09-16T19:20:29.157Z", 41227, "code42-exfil-share-datatype", "e98fb5f87aed64e2d32116bc565d2dec", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.897Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.414Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.821Z 804e3b095828 Skyformation - 1605658926549055429 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723821 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.821Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567392Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.821Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567392Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2481047e-5ae4-543b-9028-8e19e3e05566", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.821Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.170Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.821Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:01:01.023Z 804e3b095828 Skyformation - 2456916627922492488 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 dproc=file events dtz=default-tenant end=1631822461023 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:01:01.023Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:01:00.608Z ext_md5Checksum=2ee6250bd1e7bd8600f0961bd3324d4e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656641 ext_insertionTimestamp=2021-09-16T20:02:04.344088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:01:01.023Z\",\"insertionTimestamp\":\"2021-09-16T20:02:04.344088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656641,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2ee6250bd1e7bd8600f0961bd3324d4e\",\"sha256Checksum\":\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:01:00.608Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fc4db0ba-18cc-5107-a914-084f635c52af", "observed_start_time": "2021-09-16T20:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:01:01.023Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:01:00.608Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54", "2021-09-16T20:04:28.310Z", 6656641, "code42-exfil-share-datatype", "2ee6250bd1e7bd8600f0961bd3324d4e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:01:01.023Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.772Z 804e3b095828 Skyformation - 8294759705628931815 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.095Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.568008Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.884Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568008Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T19:15:17.884Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.095Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f63d3086-bd17-55ab-81cc-54fc91e7d10b", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.095Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.172Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.884Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:44:00.556Z 804e3b095828 Skyformation - 8674733544075329242 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 dproc=file events dtz=default-tenant end=1631828640556 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:44:00.556Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:44:00.149Z ext_md5Checksum=32ef24cfa95d52085eea12935c55f475 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659628 ext_insertionTimestamp=2021-09-16T21:45:15.841469Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:44:00.556Z\",\"insertionTimestamp\":\"2021-09-16T21:45:15.841469Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659628,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"32ef24cfa95d52085eea12935c55f475\",\"sha256Checksum\":\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:44:00.149Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:44:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-23911c2c-7e26-51bc-9fea-5f05b4c871cf", "observed_start_time": "2021-09-16T21:44:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:44:00.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:44:00.149Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a", "2021-09-16T21:46:29.997Z", 6659628, "code42-exfil-share-datatype", "32ef24cfa95d52085eea12935c55f475", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:44:00.556Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.085Z 804e3b095828 Skyformation - 8692612087128247895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724085 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.085Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567190Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.085Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567190Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08f2fe68-910f-5dc7-94c4-c7d30afc8519", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.085Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.170Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.085Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-75e7c90f-681b-5167-ab1f-93253718bf60", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "9bbedf60-14c7-4119-88a5-0980db51cd12", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 5692899194704443110 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Java.sh fsize=165 msg=Resource [Resource: file :: launchTest42Console-Java.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Java.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.020Z ext_md5Checksum=3b387d2bf8ce6d3b92a5f1db751813f9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=165 ext_insertionTimestamp=2021-09-16T19:18:39.568109Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.019Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568109Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Java.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":165,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3b387d2bf8ce6d3b92a5f1db751813f9\",\"sha256Checksum\":\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\",\"createTimestamp\":\"2021-09-16T14:29:41.019Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.020Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-45612c08-8262-5116-a9f8-17732756f8ff", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Java.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.020Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361", "2021-09-16T19:20:29.168Z", 165, "code42-exfil-share-datatype", "3b387d2bf8ce6d3b92a5f1db751813f9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.019Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:28:00.876Z 804e3b095828 Skyformation - 8042611856875895468 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 dproc=file events dtz=default-tenant end=1631831280876 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:28:00.876Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:28:00.304Z ext_md5Checksum=453ec6ef064fa5bc0c6f50ee2d5204e5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660904 ext_insertionTimestamp=2021-09-16T22:28:42.643367Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:28:00.876Z\",\"insertionTimestamp\":\"2021-09-16T22:28:42.643367Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660904,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"453ec6ef064fa5bc0c6f50ee2d5204e5\",\"sha256Checksum\":\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:28:00.304Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:28:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61426_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5a4f38a7-721b-5a46-af92-9b379e22e83f", "observed_start_time": "2021-09-16T22:28:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "4b7ab028-acaa-4fb1-b37e-526ecd458912", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:28:00.876Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:28:00.304Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108", "2021-09-16T22:30:29.500Z", 6660904, "code42-exfil-share-datatype", "453ec6ef064fa5bc0c6f50ee2d5204e5", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:28:00.876Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a65e4551-47d7-5f70-a259-006cd2ea2894", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "f0a0ad4f-0f73-4ac4-96d8-488f86fa742f", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:14.828Z 804e3b095828 Skyformation - 4988657070909514900 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819714828 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:14.828Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:13.679Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567549Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:13.658Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:14.828Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567549Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T19:15:13.658Z\",\"modifyTimestamp\":\"2021-09-16T19:15:13.679Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:14Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-747337c7-1290-5526-abdf-d50e6103d1ac", "observed_start_time": "2021-09-16T19:15:14Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:14.828Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:13.679Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.172Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:14.828Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:13.658Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.775Z 804e3b095828 Skyformation - 235457846511697461 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718775 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.775Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.687Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567939Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.378Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.775Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567939Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T19:15:18.378Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.687Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0d18a5dd-0e2a-5b84-b619-3d537c56b3d0", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.775Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.687Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.172Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.775Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.378Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:39:00.951Z 804e3b095828 Skyformation - 3085221760796449695 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 dproc=file events dtz=default-tenant end=1631828340951 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:39:00.951Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:39:00.700Z ext_md5Checksum=5a797dc0a97885951ef7fd87b6f564fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659483 ext_insertionTimestamp=2021-09-16T21:39:50.425897Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:39:00.951Z\",\"insertionTimestamp\":\"2021-09-16T21:39:50.425897Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659483,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5a797dc0a97885951ef7fd87b6f564fe\",\"sha256Checksum\":\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:39:00.700Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-de89ae13-1740-5d1b-89bb-f85121f0cd75", "observed_start_time": "2021-09-16T21:39:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:39:00.951Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:39:00.700Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c", "2021-09-16T21:40:29.785Z", 6659483, "code42-exfil-share-datatype", "5a797dc0a97885951ef7fd87b6f564fe", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:39:00.951Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.769Z 804e3b095828 Skyformation - 6627546699421659495 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719769 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.769Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.052Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568143Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.979Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.769Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568143Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T19:15:18.979Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.052Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3d31370-5f9b-5151-b1b4-1106238db7e9", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.769Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.052Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.167Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.769Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.979Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.893Z 804e3b095828 Skyformation - 4881423058587582298 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715893 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.893Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.133Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567870Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:14.961Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.893Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567870Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T19:15:14.961Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.133Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fcfc53ce-2a59-58e6-8c35-da34b1db1be7", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.893Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.133Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.169Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.893Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:14.961Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.773Z 804e3b095828 Skyformation - 2796256343079738721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718773 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.773Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.342Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568031Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.148Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.773Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568031Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T19:15:18.148Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.342Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-82473b8d-7e74-50ea-9744-5b08a75c0f86", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.773Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.342Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.159Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.773Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.148Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 1490067587399469079 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.147Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.567997Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.911Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567997Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T14:29:30.911Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.147Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-600d5056-d56f-5d29-8735-28d002a0177c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.147Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.157Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.911Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:50:02.277Z 804e3b095828 Skyformation - 5602684442482280736 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 dproc=file events dtz=default-tenant end=1631829002277 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:50:02.277Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:50:00.880Z ext_md5Checksum=b817fe0a78cbc9235abc6adce11beb39 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659802 ext_insertionTimestamp=2021-09-16T21:51:03.096935Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:50:02.277Z\",\"insertionTimestamp\":\"2021-09-16T21:51:03.096935Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659802,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b817fe0a78cbc9235abc6adce11beb39\",\"sha256Checksum\":\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:50:00.880Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8c564a5c-edc3-541c-989b-c9b6584537a0", "observed_start_time": "2021-09-16T21:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:50:02.277Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:50:00.880Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c", "2021-09-16T21:52:29.135Z", 6659802, "code42-exfil-share-datatype", "b817fe0a78cbc9235abc6adce11beb39", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:50:02.277Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.993Z 804e3b095828 Skyformation - 8176639218918911133 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711993 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console.runtimeconfig.json fsize=105 msg=Resource [Resource: file :: Test42Console.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.993Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.653Z ext_md5Checksum=ba8f99b0518b43d8e5cdf3ea1356c600 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105 ext_insertionTimestamp=2021-09-16T19:18:39.567470Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.651Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.993Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567470Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ba8f99b0518b43d8e5cdf3ea1356c600\",\"sha256Checksum\":\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\",\"createTimestamp\":\"2021-09-16T14:29:32.651Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.653Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c0e83a93-2af4-5d37-babd-10b1452f228d", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.993Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.653Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86", "2021-09-16T19:20:29.168Z", 105, "code42-exfil-share-datatype", "ba8f99b0518b43d8e5cdf3ea1356c600", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.993Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.651Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.008Z 804e3b095828 Skyformation - 2619095453314890827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712008 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-string-18.0.194-develop-194.jar fsize=14758 msg=Resource [Resource: file :: test42-fixture-string-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.008Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-string-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.375Z ext_md5Checksum=0c1b42a22fa41253e0a883a3c2147fa9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14758 ext_insertionTimestamp=2021-09-16T19:18:39.568043Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.371Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.008Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568043Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-string-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14758,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0c1b42a22fa41253e0a883a3c2147fa9\",\"sha256Checksum\":\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\",\"createTimestamp\":\"2021-09-16T14:29:26.371Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.375Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d692ff50-8a73-5b7c-887a-7ac69931a5ce", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.008Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-string-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.375Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c", "2021-09-16T19:20:29.168Z", 14758, "code42-exfil-share-datatype", "0c1b42a22fa41253e0a883a3c2147fa9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.008Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.371Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 465235528329935198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.563Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567718Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.281Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567718Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T14:29:30.281Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.563Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e7fd42a-7da6-52ff-a103-0ef33800ab52", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.563Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.168Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.281Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.820Z 804e3b095828 Skyformation - 3517425595454456489 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723820 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was created by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.820Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567369Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.820Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567369Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e830775-5347-525c-aedd-78a6ed9a978d", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.820Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "CREATED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.167Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.820Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 4664902644332636172 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar fsize=14514207 msg=Resource [Resource: file :: test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:29.203Z ext_md5Checksum=34dd2200b09a5c51bbd84acdeb98b606 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14514207 ext_insertionTimestamp=2021-09-16T19:18:39.567904Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:28.792Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567904Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14514207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"34dd2200b09a5c51bbd84acdeb98b606\",\"sha256Checksum\":\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\",\"createTimestamp\":\"2021-09-16T14:29:28.792Z\",\"modifyTimestamp\":\"2021-09-16T14:29:29.203Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1a735af4-fe4a-5bf6-8aa8-32b39f6cb717", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:29.203Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e", "2021-09-16T19:20:29.158Z", 14514207, "code42-exfil-share-datatype", "34dd2200b09a5c51bbd84acdeb98b606", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:28.792Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:23:01.992Z 804e3b095828 Skyformation - 134014797071545939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 dproc=file events dtz=default-tenant end=1631823781992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:23:01.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:23:00.252Z ext_md5Checksum=e95fbbc4261d5827634041a0f12107a0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657279 ext_insertionTimestamp=2021-09-16T20:23:47.534223Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:23:01.992Z\",\"insertionTimestamp\":\"2021-09-16T20:23:47.534223Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657279,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e95fbbc4261d5827634041a0f12107a0\",\"sha256Checksum\":\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:23:00.252Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36285ceb-2bb5-537c-aee4-140da8e61c9d", "observed_start_time": "2021-09-16T20:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:23:01.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T20:23:00.252Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09", "2021-09-16T20:24:29.211Z", 6657279, "code42-exfil-share-datatype", "e95fbbc4261d5827634041a0f12107a0", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:23:01.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:39:00.979Z 804e3b095828 Skyformation - 2580885261986268761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 dproc=file events dtz=default-tenant end=1631831940979 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:39:00.979Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:39:00.479Z ext_md5Checksum=693b07e79c0ed75e36f7a60f836ef1a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661223 ext_insertionTimestamp=2021-09-16T22:39:31.810355Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:39:00.979Z\",\"insertionTimestamp\":\"2021-09-16T22:39:31.810355Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661223,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"693b07e79c0ed75e36f7a60f836ef1a9\",\"sha256Checksum\":\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:39:00.479Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bbe544a7-4712-503d-8e2b-e850af9a8a35", "observed_start_time": "2021-09-16T22:39:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "fadc76ee-cf2d-4cbd-b0ed-7a1ca4a07aec", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:39:00.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:39:00.479Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0", "2021-09-16T22:40:29.619Z", 6661223, "code42-exfil-share-datatype", "693b07e79c0ed75e36f7a60f836ef1a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:39:00.979Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 3347113359677108016 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XmlSerializer.dll fsize=8704 msg=Resource [Resource: file :: System.Xml.XmlSerializer.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlSerializer.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=0cc4665479b5e519b2597b93577de1aa ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8704 ext_insertionTimestamp=2021-09-16T19:18:39.567112Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567112Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlSerializer.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8704,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0cc4665479b5e519b2597b93577de1aa\",\"sha256Checksum\":\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8e336e0-e775-5f81-a1d7-1d703bd8e157", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlSerializer.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba", "2021-09-16T19:20:29.167Z", 8704, "code42-exfil-share-datatype", "0cc4665479b5e519b2597b93577de1aa", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:23:02.291Z 804e3b095828 Skyformation - 2954122368002305264 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 dproc=file events dtz=default-tenant end=1631827382291 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:23:02.291Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:23:00.987Z ext_md5Checksum=8a6258884d44fdd107707ad5c0cf2bea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659019 ext_insertionTimestamp=2021-09-16T21:23:35.061605Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:23:02.291Z\",\"insertionTimestamp\":\"2021-09-16T21:23:35.061605Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659019,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8a6258884d44fdd107707ad5c0cf2bea\",\"sha256Checksum\":\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:23:00.987Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:23:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61418_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e37db0d-c059-56cc-8397-ed743e0042df", "observed_start_time": "2021-09-16T21:23:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:23:02.291Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:23:00.987Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b", "2021-09-16T21:24:29.095Z", 6659019, "code42-exfil-share-datatype", "8a6258884d44fdd107707ad5c0cf2bea", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:23:02.291Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "76c97484-2a68-423b-8253-74077ffe7d5a", "observable": {"key": "2dde50ee-8aa4-4e5b-83b7-465c8f586c94", "value": "kathy.kane@c42se.com", "indicators": [], "type": "email", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "eb1b756a", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "email", "value": "kathy.kane@c42se.com"}, "type": "warning", "action_id": "194360e4-b8f2-44b6-9386-2d9df7a3a549", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "kathy.kane@c42se.com", "id": "eb1b756a", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:45:02.992Z 804e3b095828 Skyformation - 7407412671789166693 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 dproc=file events dtz=default-tenant end=1631821502992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:45:02.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:45:00.674Z ext_md5Checksum=fdd100bc2a43a9756c77a0f9bc9a6bb1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656177 ext_insertionTimestamp=2021-09-16T19:46:24.888007Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:45:02.992Z\",\"insertionTimestamp\":\"2021-09-16T19:46:24.888007Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656177,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fdd100bc2a43a9756c77a0f9bc9a6bb1\",\"sha256Checksum\":\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:45:00.674Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:45:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-031676c5-8fde-5d2f-a294-dcc4907a8027", "observed_start_time": "2021-09-16T19:45:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:45:02.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:45:00.674Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b", "2021-09-16T19:46:29.180Z", 6656177, "code42-exfil-share-datatype", "fdd100bc2a43a9756c77a0f9bc9a6bb1", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:45:02.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 7344986800471780939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.617Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568132Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.538Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568132Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T14:29:32.538Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.617Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12273ce2-c1f1-56d6-940c-1caa8cc3def0", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.617Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.169Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.538Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:17:02.424Z 804e3b095828 Skyformation - 1426281696218831775 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 dproc=file events dtz=default-tenant end=1631830622424 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:17:02.424Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:17:01.080Z ext_md5Checksum=45271570c0b4116a1346bc72d738bdb7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660585 ext_insertionTimestamp=2021-09-16T22:18:10.576136Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:17:02.424Z\",\"insertionTimestamp\":\"2021-09-16T22:18:10.576136Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660585,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"45271570c0b4116a1346bc72d738bdb7\",\"sha256Checksum\":\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:17:01.080Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d8f5eeb-ef31-559e-bd07-4110d914aed6", "observed_start_time": "2021-09-16T22:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:17:02.424Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:17:01.080Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf", "2021-09-16T22:18:30.436Z", 6660585, "code42-exfil-share-datatype", "45271570c0b4116a1346bc72d738bdb7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:17:02.424Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-14468291-feda-589f-aff6-c26b375c9a21", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "1430cdb0-e2b9-48e8-b049-c6d851398a76", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.064Z 804e3b095828 Skyformation - 4009757464107454250 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724064 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.064Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566878Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.064Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566878Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87f5bd74-534f-5452-9443-5780f3c04592", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.064Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.064Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4235368662387611807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567001Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567001Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd2c1f21-0ba5-54a9-a265-cebe9ec4f240", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.157Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:17.834Z 804e3b095828 Skyformation - 7862693865552891800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819717834 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:17.834Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.599Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567729Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.382Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:17.834Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567729Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T19:15:17.382Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.599Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:17Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f1a61cc-36a1-5d00-b37d-186d933c3aff", "observed_start_time": "2021-09-16T19:15:17Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:17.834Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.599Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.170Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:17.834Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.382Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:12:02.578Z 804e3b095828 Skyformation - 1251318046287163167 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 dproc=file events dtz=default-tenant end=1631826722578 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:12:02.578Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:12:00.729Z ext_md5Checksum=dbc1cb1cfb3298c65169ae22e5f6f7c3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658700 ext_insertionTimestamp=2021-09-16T21:12:39.659856Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:12:02.578Z\",\"insertionTimestamp\":\"2021-09-16T21:12:39.659856Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658700,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dbc1cb1cfb3298c65169ae22e5f6f7c3\",\"sha256Checksum\":\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:12:00.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:12:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61383_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-762de8d1-3a28-5dc3-9b5a-a2f4a034504c", "observed_start_time": "2021-09-16T21:12:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:12:02.578Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:12:00.729Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86", "2021-09-16T21:14:30.111Z", 6658700, "code42-exfil-share-datatype", "dbc1cb1cfb3298c65169ae22e5f6f7c3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:12:02.578Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.805Z 804e3b095828 Skyformation - 3819734286974639827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723805 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.805Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567280Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.805Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567280Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-452a4ed9-abce-5890-a830-82ddb5eaa49b", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.805Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.168Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.805Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.076Z 804e3b095828 Skyformation - 58928744233355401 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724076 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.076Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567012Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.076Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567012Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-10061513-9751-5b3c-852f-d7df4246f094", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.076Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.167Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.076Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 462618621597382345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.137Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567927Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.822Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567927Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T14:29:31.822Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.137Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-97403b8e-6aff-5cd3-a460-803204a1cfc9", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.137Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.169Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.822Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 6416722578617098322 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-alert-service-rest-1.2.2.jar fsize=7019539 msg=Resource [Resource: file :: test42-fixture-code42-alert-service-rest-1.2.2.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-alert-service-rest-1.2.2.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.763Z ext_md5Checksum=df05453fe8178232379ca092d4b68707 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7019539 ext_insertionTimestamp=2021-09-16T19:18:39.567740Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.546Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567740Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-alert-service-rest-1.2.2.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7019539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"df05453fe8178232379ca092d4b68707\",\"sha256Checksum\":\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\",\"createTimestamp\":\"2021-09-16T14:29:27.546Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.763Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-412a5023-44d2-5525-a625-4f57e9139e3c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-alert-service-rest-1.2.2.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.763Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab", "2021-09-16T19:20:29.168Z", 7019539, "code42-exfil-share-datatype", "df05453fe8178232379ca092d4b68707", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.546Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:22:01.088Z 804e3b095828 Skyformation - 4749241203676691576 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 dproc=file events dtz=default-tenant end=1631830921088 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:22:01.088Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:22:00.690Z ext_md5Checksum=8e515a38447fb49fafaa3e7170033bae ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660730 ext_insertionTimestamp=2021-09-16T22:23:15.723548Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:22:01.088Z\",\"insertionTimestamp\":\"2021-09-16T22:23:15.723548Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660730,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8e515a38447fb49fafaa3e7170033bae\",\"sha256Checksum\":\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:22:00.690Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:22:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ad96c6e7-6d2f-5df9-b6e7-d303a7b7f923", "observed_start_time": "2021-09-16T22:22:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a7fd941d-edea-4706-9699-2a2f79ca15d2", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:22:01.088Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:22:00.690Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f", "2021-09-16T22:24:29.693Z", 6660730, "code42-exfil-share-datatype", "8e515a38447fb49fafaa3e7170033bae", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:22:01.088Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7158143674742709094 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567291Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567291Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8198bde8-0245-5e2a-93fc-59c66fb696e4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:33:01.185Z 804e3b095828 Skyformation - 4460753087283045225 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 dproc=file events dtz=default-tenant end=1631831581185 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:33:01.185Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:33:00.790Z ext_md5Checksum=7075f5a9476afb66da2971d452418a61 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661049 ext_insertionTimestamp=2021-09-16T22:34:07.862615Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:33:01.185Z\",\"insertionTimestamp\":\"2021-09-16T22:34:07.862615Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661049,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7075f5a9476afb66da2971d452418a61\",\"sha256Checksum\":\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:33:00.790Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b6618a95-257a-52f5-b542-b6a877095e4e", "observed_start_time": "2021-09-16T22:33:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "aa545d84-3600-423b-b4c0-36ff943bb68d", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:33:01.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:33:00.790Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7", "2021-09-16T22:36:29.677Z", 6661049, "code42-exfil-share-datatype", "7075f5a9476afb66da2971d452418a61", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:33:01.185Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 1247614792973000445 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XPath.XDocument.dll fsize=7680 msg=Resource [Resource: file :: System.Xml.XPath.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XPath.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=82e06f761ac5ea823337cc0ea0d80265 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7680 ext_insertionTimestamp=2021-09-16T19:18:39.567046Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567046Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XPath.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7680,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"82e06f761ac5ea823337cc0ea0d80265\",\"sha256Checksum\":\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f6636ef7-9d0d-57a5-b89c-a4a08d818f4a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XPath.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec", "2021-09-16T19:20:29.169Z", 7680, "code42-exfil-share-datatype", "82e06f761ac5ea823337cc0ea0d80265", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:50:02.626Z 804e3b095828 Skyformation - 7056838657966092182 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 dproc=file events dtz=default-tenant end=1631825402626 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:50:02.626Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:50:01.081Z ext_md5Checksum=0e3e512e4db31fdca7839138ea07c3cd ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658062 ext_insertionTimestamp=2021-09-16T20:51:13.592006Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:50:02.626Z\",\"insertionTimestamp\":\"2021-09-16T20:51:13.592006Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658062,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0e3e512e4db31fdca7839138ea07c3cd\",\"sha256Checksum\":\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:50:01.081Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-95ca0967-17bd-5ba1-9638-937d30c72aa1", "observed_start_time": "2021-09-16T20:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:50:02.626Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:50:01.081Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723", "2021-09-16T20:52:28.713Z", 6658062, "code42-exfil-share-datatype", "0e3e512e4db31fdca7839138ea07c3cd", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:50:02.626Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.999Z 804e3b095828 Skyformation - 8907642681921436779 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711999 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.999Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.646Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567448Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.629Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.999Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567448Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T14:29:32.629Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.646Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c5d953b-5212-5c47-8f16-8cdaa3e74600", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.999Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.646Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.170Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.999Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.629Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.806Z 804e3b095828 Skyformation - 8403369398149844084 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723806 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.806Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567302Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.806Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567302Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02f5047e-64c3-5227-9027-ce0ddb3f83f9", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.806Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.806Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.995Z 804e3b095828 Skyformation - 4477219442250454415 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711995 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.runtimeconfig.json fsize=146 msg=Resource [Resource: file :: Test42Console-8.2.3.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.527Z ext_md5Checksum=3f892e3babc6c74c9637579412fbd0c0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=146 ext_insertionTimestamp=2021-09-16T19:18:39.567426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.522Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.995Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":146,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3f892e3babc6c74c9637579412fbd0c0\",\"sha256Checksum\":\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\",\"createTimestamp\":\"2021-09-16T14:29:32.522Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a4735e80-2d88-5e48-8ae4-82cd2dea6439", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console-8.2.3.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.527Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2", "2021-09-16T19:20:29.172Z", 146, "code42-exfil-share-datatype", "3f892e3babc6c74c9637579412fbd0c0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.522Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.772Z 804e3b095828 Skyformation - 5124683873500115467 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.077Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567459Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:19.063Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567459Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T19:15:19.063Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.077Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-675576df-ceb0-5a0d-9bfc-3108c7890515", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.077Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.169Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:19.063Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7017112942517350907 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was deleted by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567358Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567358Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-071fc5f2-9af0-594f-8c83-88575846f14e", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "DELETED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.170Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:50:02.065Z 804e3b095828 Skyformation - 8498846088421542075 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 dproc=file events dtz=default-tenant end=1631821802065 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:50:02.065Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:50:00.154Z ext_md5Checksum=419c9c07c999bc2c71e9c8e0d74b3977 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656322 ext_insertionTimestamp=2021-09-16T19:51:24.240399Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:50:02.065Z\",\"insertionTimestamp\":\"2021-09-16T19:51:24.240399Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656322,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"419c9c07c999bc2c71e9c8e0d74b3977\",\"sha256Checksum\":\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:50:00.154Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b860517a-d359-5618-b9da-cbb484cb38e6", "observed_start_time": "2021-09-16T19:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:50:02.065Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:50:00.154Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb", "2021-09-16T19:52:28.142Z", 6656322, "code42-exfil-share-datatype", "419c9c07c999bc2c71e9c8e0d74b3977", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:50:02.065Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:23:01.314Z 804e3b095828 Skyformation - 930370924908933384 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 dproc=file events dtz=default-tenant end=1631820181314 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:23:01.314Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:23:00.067Z ext_md5Checksum=8ce945a5034d673a8c3df84df944e9e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655539 ext_insertionTimestamp=2021-09-16T19:24:05.872543Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:23:01.314Z\",\"insertionTimestamp\":\"2021-09-16T19:24:05.872543Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8ce945a5034d673a8c3df84df944e9e2\",\"sha256Checksum\":\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:23:00.067Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61298_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edf54539-1473-5d66-97c1-f95cf9899b35", "observed_start_time": "2021-09-16T19:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:23:01.314Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:23:00.067Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f", "2021-09-16T19:24:29.929Z", 6655539, "code42-exfil-share-datatype", "8ce945a5034d673a8c3df84df944e9e2", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:23:01.314Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:27.623Z 804e3b095828 Skyformation - 3964934661273873169 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819727623 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was created by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:27.623Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:27.409Z ext_md5Checksum=232b292616f09cef3e0e8ba9805a2963 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568099Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:27.408Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:27.623Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568099Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"232b292616f09cef3e0e8ba9805a2963\",\"sha256Checksum\":\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\",\"createTimestamp\":\"2021-09-16T19:15:27.408Z\",\"modifyTimestamp\":\"2021-09-16T19:15:27.409Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e09b581-9e7d-5195-8a38-88102b9c437d", "observed_start_time": "2021-09-16T19:15:27Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:27.623Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:27.409Z", "application/x-sh", "CREATED", "162.222.47.183", "kathy.kane", "88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "232b292616f09cef3e0e8ba9805a2963", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:27.623Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:27.408Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:01:00.819Z 804e3b095828 Skyformation - 4261722877678484633 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 dproc=file events dtz=default-tenant end=1631826060819 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:01:00.819Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:01:00.560Z ext_md5Checksum=da192fa26ed85e10ce7bb718251110ad ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658381 ext_insertionTimestamp=2021-09-16T21:01:47.308430Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:01:00.819Z\",\"insertionTimestamp\":\"2021-09-16T21:01:47.308430Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658381,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"da192fa26ed85e10ce7bb718251110ad\",\"sha256Checksum\":\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:01:00.560Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:01:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7711c718-0e21-5675-bb34-071d60939878", "observed_start_time": "2021-09-16T21:01:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:01:00.819Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T21:01:00.560Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53", "2021-09-16T21:02:28.778Z", 6658381, "code42-exfil-share-datatype", "da192fa26ed85e10ce7bb718251110ad", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:01:00.819Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 6610991199308768678 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567179Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567179Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-85a1f9cb-fdf2-5bd3-8178-3d11c1f5cec4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.168Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 2798890335140955527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567023Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567023Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ede94b18-04d2-554a-90e6-ab609600fa70", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.078Z 804e3b095828 Skyformation - 7299018334312800224 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724078 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.078Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567035Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.078Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567035Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f91637db-83e4-5758-b551-7c227aba1a5d", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.078Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.168Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.078Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:28:01.712Z 804e3b095828 Skyformation - 891655873053505721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 dproc=file events dtz=default-tenant end=1631827681712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:28:01.712Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:28:00.665Z ext_md5Checksum=043ea115b4517db2f0aa7c5853f7385b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659164 ext_insertionTimestamp=2021-09-16T21:28:58.572803Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:28:01.712Z\",\"insertionTimestamp\":\"2021-09-16T21:28:58.572803Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659164,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"043ea115b4517db2f0aa7c5853f7385b\",\"sha256Checksum\":\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:28:00.665Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:28:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d5a79131-010e-5b41-9357-c3586091d05e", "observed_start_time": "2021-09-16T21:28:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:28:01.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:28:00.665Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4", "2021-09-16T21:30:29.019Z", 6659164, "code42-exfil-share-datatype", "043ea115b4517db2f0aa7c5853f7385b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:28:01.712Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.033Z 804e3b095828 Skyformation - 5428778102527363807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712033 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.033Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.287Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567537Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.033Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567537Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T14:29:26.269Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.287Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-04487d78-acfd-5735-a210-f113f8855f9c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.287Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.169Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.033Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d9f33fa-cc28-5fe5-9975-5003f91369d6", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "b5e047b0-70bf-4cda-9513-e3fb2fffd016", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:06:01.028Z 804e3b095828 Skyformation - 8997259429135136842 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 dproc=file events dtz=default-tenant end=1631829961028 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:06:01.028Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:06:00.773Z ext_md5Checksum=e3826febfa687b19d431037a05e3d695 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660266 ext_insertionTimestamp=2021-09-16T22:06:57.577426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:06:01.028Z\",\"insertionTimestamp\":\"2021-09-16T22:06:57.577426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660266,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e3826febfa687b19d431037a05e3d695\",\"sha256Checksum\":\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:06:00.773Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61424_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0c80d806-8279-587b-8b43-c95ce2fcdd89", "observed_start_time": "2021-09-16T22:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:06:01.028Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:06:00.773Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6", "2021-09-16T22:08:29.515Z", 6660266, "code42-exfil-share-datatype", "e3826febfa687b19d431037a05e3d695", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:06:01.028Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:01:01.612Z 804e3b095828 Skyformation - 5476861324589104236 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 dproc=file events dtz=default-tenant end=1631829661612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:01:01.612Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:01:00.223Z ext_md5Checksum=aa34550e46232e041e8738f575568b63 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660121 ext_insertionTimestamp=2021-09-16T22:01:32.790174Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:01:01.612Z\",\"insertionTimestamp\":\"2021-09-16T22:01:32.790174Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660121,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa34550e46232e041e8738f575568b63\",\"sha256Checksum\":\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:01:00.223Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f05d117-a06c-5922-8649-7708e4d80765", "observed_start_time": "2021-09-16T22:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:01:01.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:01:00.223Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530", "2021-09-16T22:04:30.120Z", 6660121, "code42-exfil-share-datatype", "aa34550e46232e041e8738f575568b63", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:01:01.612Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:39:03.445Z 804e3b095828 Skyformation - 2624752478966021475 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 dproc=file events dtz=default-tenant end=1631821143445 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:39:03.445Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:39:01.028Z ext_md5Checksum=2f0e54e1e35e34e9a4b6c5b586789edf ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656003 ext_insertionTimestamp=2021-09-16T19:40:23.773101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:39:03.445Z\",\"insertionTimestamp\":\"2021-09-16T19:40:23.773101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656003,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2f0e54e1e35e34e9a4b6c5b586789edf\",\"sha256Checksum\":\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:39:01.028Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:39:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d473561a-d486-58d7-9d54-79dca5b2d69e", "observed_start_time": "2021-09-16T19:39:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:39:03.445Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:39:01.028Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534", "2021-09-16T19:40:28.880Z", 6656003, "code42-exfil-share-datatype", "2f0e54e1e35e34e9a4b6c5b586789edf", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:39:03.445Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:55:01.913Z 804e3b095828 Skyformation - 1768128187348227515 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 dproc=file events dtz=default-tenant end=1631829301913 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:55:01.913Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:55:00.543Z ext_md5Checksum=dc00517c1ea40d76a86ac0775630315b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659947 ext_insertionTimestamp=2021-09-16T21:56:06.248063Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:55:01.913Z\",\"insertionTimestamp\":\"2021-09-16T21:56:06.248063Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659947,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dc00517c1ea40d76a86ac0775630315b\",\"sha256Checksum\":\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:55:00.543Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61422_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-15c0c9b0-6bdf-53a1-add0-1f2928d4286d", "observed_start_time": "2021-09-16T21:55:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:55:01.913Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:55:00.543Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37", "2021-09-16T21:58:29.321Z", 6659947, "code42-exfil-share-datatype", "dc00517c1ea40d76a86ac0775630315b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:55:01.913Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:17:01.240Z 804e3b095828 Skyformation - 6379287197034431494 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 dproc=file events dtz=default-tenant end=1631827021240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:17:01.240Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:17:00.229Z ext_md5Checksum=37d786d2ffe3997a1a4913f817e1163c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658845 ext_insertionTimestamp=2021-09-16T21:18:05.961899Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:17:01.240Z\",\"insertionTimestamp\":\"2021-09-16T21:18:05.961899Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658845,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"37d786d2ffe3997a1a4913f817e1163c\",\"sha256Checksum\":\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:17:00.229Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:17:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61401_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e4fc7d1-49ea-5c9b-bca5-6f1b79386f29", "observed_start_time": "2021-09-16T21:17:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:17:01.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:17:00.229Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817", "2021-09-16T21:18:29.165Z", 6658845, "code42-exfil-share-datatype", "37d786d2ffe3997a1a4913f817e1163c", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:17:01.240Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 7619218699635329950 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567201Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567201Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66849bfc-3193-508e-8ee8-6bb759846345", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.167Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:06:01.487Z 804e3b095828 Skyformation - 6710622959611147958 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 dproc=file events dtz=default-tenant end=1631826361487 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:06:01.487Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:06:00.163Z ext_md5Checksum=60bf5e7434748875904b3d240e9933b7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658526 ext_insertionTimestamp=2021-09-16T21:07:13.335410Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:06:01.487Z\",\"insertionTimestamp\":\"2021-09-16T21:07:13.335410Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658526,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"60bf5e7434748875904b3d240e9933b7\",\"sha256Checksum\":\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:06:00.163Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61346_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-367d899b-650f-51b4-a6a1-0534a3961b75", "observed_start_time": "2021-09-16T21:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:06:01.487Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:06:00.163Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba", "2021-09-16T21:08:28.978Z", 6658526, "code42-exfil-share-datatype", "60bf5e7434748875904b3d240e9933b7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:06:01.487Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:34:01.736Z 804e3b095828 Skyformation - 2573052291884632109 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 dproc=file events dtz=default-tenant end=1631820841736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:34:01.736Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:34:00.437Z ext_md5Checksum=5082d25b519827369f4026d1de2ee6ca ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655858 ext_insertionTimestamp=2021-09-16T19:34:57.134540Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:34:01.736Z\",\"insertionTimestamp\":\"2021-09-16T19:34:57.134540Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655858,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5082d25b519827369f4026d1de2ee6ca\",\"sha256Checksum\":\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:34:00.437Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d0c40d9-1a17-5018-b60d-c3342b98c94c", "observed_start_time": "2021-09-16T19:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:34:01.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:34:00.437Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b", "2021-09-16T19:36:28.977Z", 6655858, "code42-exfil-share-datatype", "5082d25b519827369f4026d1de2ee6ca", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:34:01.736Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 2397866919275056029 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Web.HttpUtility.dll fsize=36864 msg=Resource [Resource: file :: System.Web.HttpUtility.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Web.HttpUtility.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=306b1de856625f7499d783f7b4b79f38 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36864 ext_insertionTimestamp=2021-09-16T19:18:39.566889Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566889Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Web.HttpUtility.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36864,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"306b1de856625f7499d783f7b4b79f38\",\"sha256Checksum\":\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-811d4e91-e46b-5844-9af9-7c850abf3da3", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Web.HttpUtility.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8", "2021-09-16T19:20:29.168Z", 36864, "code42-exfil-share-datatype", "306b1de856625f7499d783f7b4b79f38", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 58574569231396443 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.487Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567858Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.287Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567858Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T14:29:27.287Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.487Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2080f524-24c7-5036-968e-df2b85f1b54f", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.487Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.170Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.287Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.747Z 804e3b095828 Skyformation - 6719904774936520368 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711747 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.747Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567380Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.747Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567380Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c9d9285-5d31-550b-a4b2-9fd3d3b8a388", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.747Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.171Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.747Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.996Z 804e3b095828 Skyformation - 3176029036093175203 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711996 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-runtime-3.1.2-osx-x64.tar.gz fsize=29915862 msg=Resource [Resource: file :: dotnet-runtime-3.1.2-osx-x64.tar.gz] was deleted by [kathy.kane@c42se.com] proto=gz requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.996Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-runtime-3.1.2-osx-x64.tar.gz ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/gzip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:36.132Z ext_md5Checksum=f83a55de32ce1a89fb5b123257830cba ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=29915862 ext_insertionTimestamp=2021-09-16T19:18:39.567560Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:35.234Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/gzip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.996Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567560Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-runtime-3.1.2-osx-x64.tar.gz\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":29915862,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f83a55de32ce1a89fb5b123257830cba\",\"sha256Checksum\":\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\",\"createTimestamp\":\"2021-09-16T14:29:35.234Z\",\"modifyTimestamp\":\"2021-09-16T14:29:36.132Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/gzip\",\"mimeTypeByExtension\":\"application/gzip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2b217573-785b-532d-860e-9598234213e8", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.996Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-runtime-3.1.2-osx-x64.tar.gz", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:36.132Z", "application/gzip", "DELETED", "162.222.47.183", "kathy.kane", "782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855", "2021-09-16T19:20:29.167Z", 29915862, "code42-exfil-share-datatype", "f83a55de32ce1a89fb5b123257830cba", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.996Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:35.234Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 3843752372852811386 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.005Z ext_md5Checksum=2d2bf0d9382070b7cca29a72b3936e5d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.005Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2d2bf0d9382070b7cca29a72b3936e5d\",\"sha256Checksum\":\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\",\"createTimestamp\":\"2021-09-16T14:29:41.005Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.005Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bf1190c9-a884-5c2a-bb2c-2795c5d957d1", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.005Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "2d2bf0d9382070b7cca29a72b3936e5d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.005Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 2213325285618451753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.446Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568020Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568020Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T14:29:31.221Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.446Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd8f9d6d-f964-5596-b969-1adc4cbab814", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.446Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.167Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:34:01.973Z 804e3b095828 Skyformation - 2524988023863085362 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 dproc=file events dtz=default-tenant end=1631824441973 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:34:01.973Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:34:00.215Z ext_md5Checksum=ff960d04995e3896e1e5f9b9280fa4ab ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657598 ext_insertionTimestamp=2021-09-16T20:34:41.194795Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:34:01.973Z\",\"insertionTimestamp\":\"2021-09-16T20:34:41.194795Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657598,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ff960d04995e3896e1e5f9b9280fa4ab\",\"sha256Checksum\":\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:34:00.215Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cab0f6ad-bf33-5b50-a385-5e8c1204635d", "observed_start_time": "2021-09-16T20:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:34:01.973Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:34:00.215Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f", "2021-09-16T20:36:28.548Z", 6657598, "code42-exfil-share-datatype", "ff960d04995e3896e1e5f9b9280fa4ab", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:34:01.973Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 9109378012419032857 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.dll fsize=54784 msg=Resource [Resource: file :: Test42Console-8.2.3.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.508Z ext_md5Checksum=d69ac3af560428f6948dc20b997161ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=54784 ext_insertionTimestamp=2021-09-16T19:18:39.567403Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.502Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567403Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":54784,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d69ac3af560428f6948dc20b997161ee\",\"sha256Checksum\":\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\",\"createTimestamp\":\"2021-09-16T14:29:32.502Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.508Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-71cfb374-ab6b-5662-ab30-1b3fb949df3c", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Test42Console-8.2.3.dll", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.508Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43", "2021-09-16T19:20:29.167Z", 54784, "code42-exfil-share-datatype", "d69ac3af560428f6948dc20b997161ee", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.502Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.818Z 804e3b095828 Skyformation - 1887769325684873078 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723818 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=mscorlib.dll fsize=57216 msg=Resource [Resource: file :: mscorlib.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.818Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=mscorlib.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T18:07:34Z ext_md5Checksum=9720675697af7ba93cd049a9b7f757ef ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=57216 ext_insertionTimestamp=2021-09-16T19:18:39.567347Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T18:07:34Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.818Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567347Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"mscorlib.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":57216,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9720675697af7ba93cd049a9b7f757ef\",\"sha256Checksum\":\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\",\"createTimestamp\":\"2020-01-17T18:07:34Z\",\"modifyTimestamp\":\"2020-01-17T18:07:34Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccf85660-82e2-5086-a281-3206e1b2858e", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.818Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorlib.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T18:07:34Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c", "2021-09-16T19:20:29.167Z", 57216, "code42-exfil-share-datatype", "9720675697af7ba93cd049a9b7f757ef", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.818Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T18:07:34Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4770681899815013348 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566957Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566957Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e5d743d0-0232-5b8e-b0cb-1edd0490dd9f", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.170Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 4590047523480219385 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.338Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567627Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.318Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567627Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T14:29:32.318Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.338Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e9f4477-1d64-576f-b3a8-241c6015add6", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.338Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.166Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.318Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:33:01.545Z 804e3b095828 Skyformation - 7073850292788359537 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 dproc=file events dtz=default-tenant end=1631827981545 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:33:01.545Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:33:00.213Z ext_md5Checksum=20d1f8a835b0834eb7b5d80569deed62 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659309 ext_insertionTimestamp=2021-09-16T21:34:24.032240Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:33:01.545Z\",\"insertionTimestamp\":\"2021-09-16T21:34:24.032240Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659309,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"20d1f8a835b0834eb7b5d80569deed62\",\"sha256Checksum\":\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:33:00.213Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5369c67b-c8ed-5b7f-81d6-ec60324367ab", "observed_start_time": "2021-09-16T21:33:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:33:01.545Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:33:00.213Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c", "2021-09-16T21:34:28.994Z", 6659309, "code42-exfil-share-datatype", "20d1f8a835b0834eb7b5d80569deed62", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:33:01.545Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 146293528143524055 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566867Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566867Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1abdcd59-cf9e-5f35-bf4b-d2994605bd55", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.755Z 804e3b095828 Skyformation - 1836552121230087232 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719755 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.755Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.755Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567661Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.736Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.755Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567661Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T19:15:18.736Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.755Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-28195e6b-c15a-559b-a699-d2f6641591b7", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.755Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.755Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.157Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.755Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.736Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:44:01.388Z 804e3b095828 Skyformation - 1266689014865399645 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 dproc=file events dtz=default-tenant end=1631832241388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:44:01.388Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:44:00.938Z ext_md5Checksum=b40c0a5ea13afe384316a54705f0d1b4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661368 ext_insertionTimestamp=2021-09-16T22:44:58.435091Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:44:01.388Z\",\"insertionTimestamp\":\"2021-09-16T22:44:58.435091Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661368,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b40c0a5ea13afe384316a54705f0d1b4\",\"sha256Checksum\":\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:44:00.938Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:44:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d639f22b-9cff-59ed-9021-3ad255581d0e", "observed_start_time": "2021-09-16T22:44:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a996d996-7445-4022-a863-c1845dab62f5", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:44:01.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:44:00.938Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d", "2021-09-16T22:46:30.421Z", 6661368, "code42-exfil-share-datatype", "b40c0a5ea13afe384316a54705f0d1b4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:44:01.388Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.770Z 804e3b095828 Skyformation - 6071486703917102800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718770 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.770Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.840Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567818Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.648Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.770Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567818Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T19:15:17.648Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.840Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08118857-1290-5488-af20-857c21d6bdd1", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.770Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.840Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.169Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.770Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.648Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.079Z 804e3b095828 Skyformation - 5370534398414402294 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724079 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XmlDocument.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.XmlDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.079Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=447d8892131a4e11ea225e3b1ffe34b1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.079Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"447d8892131a4e11ea225e3b1ffe34b1\",\"sha256Checksum\":\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f80475c4-c69b-58e5-a9ed-33af9056766f", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.079Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe", "2021-09-16T19:20:29.171Z", 6656, "code42-exfil-share-datatype", "447d8892131a4e11ea225e3b1ffe34b1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.079Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:56:02.173Z 804e3b095828 Skyformation - 7188922889508140062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 dproc=file events dtz=default-tenant end=1631822162173 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:56:02.173Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:56:00.923Z ext_md5Checksum=fc552e5a9046ea13a5d6106e2b2f9b76 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656496 ext_insertionTimestamp=2021-09-16T19:56:39.322640Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:56:02.173Z\",\"insertionTimestamp\":\"2021-09-16T19:56:39.322640Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656496,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fc552e5a9046ea13a5d6106e2b2f9b76\",\"sha256Checksum\":\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:56:00.923Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:56:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5b13a540-ce0b-5885-ac3e-33c0b65dba06", "observed_start_time": "2021-09-16T19:56:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:56:02.173Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:56:00.923Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4", "2021-09-16T19:58:28.306Z", 6656496, "code42-exfil-share-datatype", "fc552e5a9046ea13a5d6106e2b2f9b76", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:56:02.173Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.074Z 804e3b095828 Skyformation - 8477448688941154930 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724074 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.074Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566968Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.074Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566968Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e28b082b-fc8d-5d89-9b34-4381e18289c2", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.074Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.074Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:11:00.794Z 804e3b095828 Skyformation - 2404635122291901530 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 dproc=file events dtz=default-tenant end=1631830260794 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:11:00.794Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:11:00.379Z ext_md5Checksum=951245aef74b1e8b33f4500e499e686a ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660411 ext_insertionTimestamp=2021-09-16T22:12:24.819165Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:11:00.794Z\",\"insertionTimestamp\":\"2021-09-16T22:12:24.819165Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660411,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"951245aef74b1e8b33f4500e499e686a\",\"sha256Checksum\":\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:11:00.379Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:11:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cfed350e-a44b-53ce-b882-dc197c8f62b6", "observed_start_time": "2021-09-16T22:11:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:11:00.794Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:11:00.379Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da", "2021-09-16T22:12:29.328Z", 6660411, "code42-exfil-share-datatype", "951245aef74b1e8b33f4500e499e686a", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:11:00.794Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 8233299408064618554 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567268Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567268Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61262_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b22fa99e-4961-5cd7-94d9-94743bc7cc5a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.158Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:28:03.165Z 804e3b095828 Skyformation - 4940785117334694295 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 dproc=file events dtz=default-tenant end=1631824083165 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:28:03.165Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:28:00.813Z ext_md5Checksum=d4b2584cc8639725ef1a77f10489af6e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657424 ext_insertionTimestamp=2021-09-16T20:29:14.653406Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:28:03.165Z\",\"insertionTimestamp\":\"2021-09-16T20:29:14.653406Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657424,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d4b2584cc8639725ef1a77f10489af6e\",\"sha256Checksum\":\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:28:00.813Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:28:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91bf6af3-6d39-5a96-81d4-c4908b781523", "observed_start_time": "2021-09-16T20:28:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:28:03.165Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:28:00.813Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4", "2021-09-16T20:30:28.534Z", 6657424, "code42-exfil-share-datatype", "d4b2584cc8639725ef1a77f10489af6e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:28:03.165Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 8309860196715459145 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.239Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567649Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.212Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567649Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T14:29:32.212Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.239Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e24644f-f291-5bd2-bc35-86a9b5d0b7a3", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.239Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.169Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.212Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:55:02.138Z 804e3b095828 Skyformation - 729364201181628912 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 dproc=file events dtz=default-tenant end=1631825702138 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:55:02.138Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:55:00.753Z ext_md5Checksum=63d8ad93f3a8ccf161c446bd00ebe0ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658207 ext_insertionTimestamp=2021-09-16T20:56:21.765014Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:55:02.138Z\",\"insertionTimestamp\":\"2021-09-16T20:56:21.765014Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"63d8ad93f3a8ccf161c446bd00ebe0ee\",\"sha256Checksum\":\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:55:00.753Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-288534d9-fd19-501f-a62b-9ccd21200713", "observed_start_time": "2021-09-16T20:55:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:55:02.138Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:55:00.753Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e", "2021-09-16T20:58:28.798Z", 6658207, "code42-exfil-share-datatype", "63d8ad93f3a8ccf161c446bd00ebe0ee", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:55:02.138Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 8983082904017481833 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:28.729Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567951Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.871Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567951Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T14:29:27.871Z\",\"modifyTimestamp\":\"2021-09-16T14:29:28.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea36b47c-6754-5ecf-931a-a6132c50aa22", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:28.729Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.170Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.871Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:12:03.215Z 804e3b095828 Skyformation - 6886991114765220858 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 dproc=file events dtz=default-tenant end=1631823123215 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:12:03.215Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:12:00.952Z ext_md5Checksum=326e1e96ac5b97f92334ae3ed0af00a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656960 ext_insertionTimestamp=2021-09-16T20:12:57.237021Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:12:03.215Z\",\"insertionTimestamp\":\"2021-09-16T20:12:57.237021Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656960,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"326e1e96ac5b97f92334ae3ed0af00a9\",\"sha256Checksum\":\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:12:00.952Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:12:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4187d125-6fed-5e14-872a-e781ac9c07c7", "observed_start_time": "2021-09-16T20:12:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:12:03.215Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:12:00.952Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc", "2021-09-16T20:14:29.101Z", 6656960, "code42-exfil-share-datatype", "326e1e96ac5b97f92334ae3ed0af00a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:12:03.215Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 3519140269928418882 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.847Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567807Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.631Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567807Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T14:29:30.631Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.847Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c15684c1-40f1-5e8d-a549-ec971abac766", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.847Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.168Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.631Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:39:02.995Z 804e3b095828 Skyformation - 2457476870350379974 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 dproc=file events dtz=default-tenant end=1631824742995 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:39:02.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:39:00.749Z ext_md5Checksum=c777bda26af371c784639bf97c796a30 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657743 ext_insertionTimestamp=2021-09-16T20:40:03.955501Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:39:02.995Z\",\"insertionTimestamp\":\"2021-09-16T20:40:03.955501Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657743,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c777bda26af371c784639bf97c796a30\",\"sha256Checksum\":\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:39:00.749Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:39:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61342_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fd13adc-a57f-52b3-afec-f4d6286a241e", "observed_start_time": "2021-09-16T20:39:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:39:02.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:39:00.749Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a", "2021-09-16T20:40:29.204Z", 6657743, "code42-exfil-share-datatype", "c777bda26af371c784639bf97c796a30", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:39:02.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.898Z 804e3b095828 Skyformation - 4866351305492022215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715898 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.898Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:16.117Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567962Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.422Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.898Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567962Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T19:15:15.422Z\",\"modifyTimestamp\":\"2021-09-16T19:15:16.117Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f72d64ad-9c47-5fe9-abad-e1411db140d1", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.898Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:16.117Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.168Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.898Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.422Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:17:02.470Z 804e3b095828 Skyformation - 3355602177351257247 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 dproc=file events dtz=default-tenant end=1631823422470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:17:02.470Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:17:00.510Z ext_md5Checksum=79e223064e50c50dc63e89e30862e8f4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657105 ext_insertionTimestamp=2021-09-16T20:18:24.025397Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:17:02.470Z\",\"insertionTimestamp\":\"2021-09-16T20:18:24.025397Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"79e223064e50c50dc63e89e30862e8f4\",\"sha256Checksum\":\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:17:00.510Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6d5a20a2-f50e-5f19-a010-b1be1e470e1d", "observed_start_time": "2021-09-16T20:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:17:02.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:17:00.510Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3", "2021-09-16T20:20:29.219Z", 6657105, "code42-exfil-share-datatype", "79e223064e50c50dc63e89e30862e8f4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:17:02.470Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.801Z 804e3b095828 Skyformation - 621632533739725350 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723801 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.801Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567212Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.801Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567212Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4ae4ea8f-75b0-5f70-bab5-178877150abf", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.801Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.158Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.801Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:49:02.292Z 804e3b095828 Skyformation - 1350603041899679478 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 dproc=file events dtz=default-tenant end=1631832542292 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:49:02.292Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:49:00.527Z ext_md5Checksum=e36e7a007a335fab0b5c84fd64dfdccc ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661513 ext_insertionTimestamp=2021-09-16T22:50:23.782238Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:49:02.292Z\",\"insertionTimestamp\":\"2021-09-16T22:50:23.782238Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661513,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e36e7a007a335fab0b5c84fd64dfdccc\",\"sha256Checksum\":\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:49:00.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:49:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61444_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-af4fbb0a-af39-5538-9106-9b2db2646476", "observed_start_time": "2021-09-16T22:49:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "e6bed5f8-b4eb-48c3-a7d6-93dcd222e271", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:49:02.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:49:00.527Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca", "2021-09-16T22:52:31.870Z", 6661513, "code42-exfil-share-datatype", "e36e7a007a335fab0b5c84fd64dfdccc", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:49:02.292Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.761Z 804e3b095828 Skyformation - 2980995002300610810 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719761 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.761Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.832Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567638Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.812Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.761Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567638Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T19:15:18.812Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.832Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c978eb4a-4e5b-5e42-870b-1d5172367949", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.761Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.832Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.168Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.761Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.812Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.897Z 804e3b095828 Skyformation - 5723685368446080373 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715897 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar fsize=41227 msg=Resource [Resource: file :: test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.897Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.419Z ext_md5Checksum=e98fb5f87aed64e2d32116bc565d2dec ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=41227 ext_insertionTimestamp=2021-09-16T19:18:39.567796Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.414Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.897Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567796Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":41227,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e98fb5f87aed64e2d32116bc565d2dec\",\"sha256Checksum\":\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\",\"createTimestamp\":\"2021-09-16T19:15:15.414Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.419Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4386ebf1-b7bd-5cc7-9d76-25107a9a2069", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.897Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.419Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806", "2021-09-16T19:20:29.157Z", 41227, "code42-exfil-share-datatype", "e98fb5f87aed64e2d32116bc565d2dec", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.897Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.414Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.821Z 804e3b095828 Skyformation - 1605658926549055429 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723821 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.821Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567392Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.821Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567392Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2481047e-5ae4-543b-9028-8e19e3e05566", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.821Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.170Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.821Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:01:01.023Z 804e3b095828 Skyformation - 2456916627922492488 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 dproc=file events dtz=default-tenant end=1631822461023 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:01:01.023Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:01:00.608Z ext_md5Checksum=2ee6250bd1e7bd8600f0961bd3324d4e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656641 ext_insertionTimestamp=2021-09-16T20:02:04.344088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:01:01.023Z\",\"insertionTimestamp\":\"2021-09-16T20:02:04.344088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656641,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2ee6250bd1e7bd8600f0961bd3324d4e\",\"sha256Checksum\":\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:01:00.608Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fc4db0ba-18cc-5107-a914-084f635c52af", "observed_start_time": "2021-09-16T20:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:01:01.023Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:01:00.608Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54", "2021-09-16T20:04:28.310Z", 6656641, "code42-exfil-share-datatype", "2ee6250bd1e7bd8600f0961bd3324d4e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:01:01.023Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.772Z 804e3b095828 Skyformation - 8294759705628931815 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.095Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.568008Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.884Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568008Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T19:15:17.884Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.095Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f63d3086-bd17-55ab-81cc-54fc91e7d10b", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.095Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.172Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.884Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:44:00.556Z 804e3b095828 Skyformation - 8674733544075329242 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 dproc=file events dtz=default-tenant end=1631828640556 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:44:00.556Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:44:00.149Z ext_md5Checksum=32ef24cfa95d52085eea12935c55f475 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659628 ext_insertionTimestamp=2021-09-16T21:45:15.841469Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:44:00.556Z\",\"insertionTimestamp\":\"2021-09-16T21:45:15.841469Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659628,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"32ef24cfa95d52085eea12935c55f475\",\"sha256Checksum\":\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:44:00.149Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:44:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-23911c2c-7e26-51bc-9fea-5f05b4c871cf", "observed_start_time": "2021-09-16T21:44:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:44:00.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:44:00.149Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a", "2021-09-16T21:46:29.997Z", 6659628, "code42-exfil-share-datatype", "32ef24cfa95d52085eea12935c55f475", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:44:00.556Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.085Z 804e3b095828 Skyformation - 8692612087128247895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724085 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.085Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567190Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.085Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567190Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08f2fe68-910f-5dc7-94c4-c7d30afc8519", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.085Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.170Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.085Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-75e7c90f-681b-5167-ab1f-93253718bf60", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "9bbedf60-14c7-4119-88a5-0980db51cd12", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 5692899194704443110 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Java.sh fsize=165 msg=Resource [Resource: file :: launchTest42Console-Java.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Java.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.020Z ext_md5Checksum=3b387d2bf8ce6d3b92a5f1db751813f9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=165 ext_insertionTimestamp=2021-09-16T19:18:39.568109Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.019Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568109Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Java.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":165,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3b387d2bf8ce6d3b92a5f1db751813f9\",\"sha256Checksum\":\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\",\"createTimestamp\":\"2021-09-16T14:29:41.019Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.020Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-45612c08-8262-5116-a9f8-17732756f8ff", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Java.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.020Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361", "2021-09-16T19:20:29.168Z", 165, "code42-exfil-share-datatype", "3b387d2bf8ce6d3b92a5f1db751813f9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.019Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:28:00.876Z 804e3b095828 Skyformation - 8042611856875895468 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 dproc=file events dtz=default-tenant end=1631831280876 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:28:00.876Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:28:00.304Z ext_md5Checksum=453ec6ef064fa5bc0c6f50ee2d5204e5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660904 ext_insertionTimestamp=2021-09-16T22:28:42.643367Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:28:00.876Z\",\"insertionTimestamp\":\"2021-09-16T22:28:42.643367Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660904,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"453ec6ef064fa5bc0c6f50ee2d5204e5\",\"sha256Checksum\":\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:28:00.304Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:28:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61426_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5a4f38a7-721b-5a46-af92-9b379e22e83f", "observed_start_time": "2021-09-16T22:28:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "4b7ab028-acaa-4fb1-b37e-526ecd458912", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:28:00.876Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:28:00.304Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108", "2021-09-16T22:30:29.500Z", 6660904, "code42-exfil-share-datatype", "453ec6ef064fa5bc0c6f50ee2d5204e5", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:28:00.876Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a65e4551-47d7-5f70-a259-006cd2ea2894", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "f0a0ad4f-0f73-4ac4-96d8-488f86fa742f", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:14.828Z 804e3b095828 Skyformation - 4988657070909514900 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819714828 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:14.828Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:13.679Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567549Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:13.658Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:14.828Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567549Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T19:15:13.658Z\",\"modifyTimestamp\":\"2021-09-16T19:15:13.679Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:14Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-747337c7-1290-5526-abdf-d50e6103d1ac", "observed_start_time": "2021-09-16T19:15:14Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:14.828Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:13.679Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.172Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:14.828Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:13.658Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.775Z 804e3b095828 Skyformation - 235457846511697461 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718775 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.775Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.687Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567939Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.378Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.775Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567939Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T19:15:18.378Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.687Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0d18a5dd-0e2a-5b84-b619-3d537c56b3d0", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.775Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.687Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.172Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.775Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.378Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:39:00.951Z 804e3b095828 Skyformation - 3085221760796449695 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 dproc=file events dtz=default-tenant end=1631828340951 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:39:00.951Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:39:00.700Z ext_md5Checksum=5a797dc0a97885951ef7fd87b6f564fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659483 ext_insertionTimestamp=2021-09-16T21:39:50.425897Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:39:00.951Z\",\"insertionTimestamp\":\"2021-09-16T21:39:50.425897Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659483,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5a797dc0a97885951ef7fd87b6f564fe\",\"sha256Checksum\":\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:39:00.700Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-de89ae13-1740-5d1b-89bb-f85121f0cd75", "observed_start_time": "2021-09-16T21:39:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:39:00.951Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:39:00.700Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c", "2021-09-16T21:40:29.785Z", 6659483, "code42-exfil-share-datatype", "5a797dc0a97885951ef7fd87b6f564fe", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:39:00.951Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.769Z 804e3b095828 Skyformation - 6627546699421659495 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719769 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.769Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.052Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568143Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.979Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.769Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568143Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T19:15:18.979Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.052Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3d31370-5f9b-5151-b1b4-1106238db7e9", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.769Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.052Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.167Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.769Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.979Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.893Z 804e3b095828 Skyformation - 4881423058587582298 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715893 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.893Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.133Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567870Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:14.961Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.893Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567870Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T19:15:14.961Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.133Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fcfc53ce-2a59-58e6-8c35-da34b1db1be7", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.893Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.133Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.169Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.893Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:14.961Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.773Z 804e3b095828 Skyformation - 2796256343079738721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718773 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.773Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.342Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568031Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.148Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.773Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568031Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T19:15:18.148Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.342Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-82473b8d-7e74-50ea-9744-5b08a75c0f86", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.773Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.342Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.159Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.773Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.148Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 1490067587399469079 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.147Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.567997Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.911Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567997Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T14:29:30.911Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.147Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-600d5056-d56f-5d29-8735-28d002a0177c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.147Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.157Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.911Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:50:02.277Z 804e3b095828 Skyformation - 5602684442482280736 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 dproc=file events dtz=default-tenant end=1631829002277 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:50:02.277Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:50:00.880Z ext_md5Checksum=b817fe0a78cbc9235abc6adce11beb39 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659802 ext_insertionTimestamp=2021-09-16T21:51:03.096935Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:50:02.277Z\",\"insertionTimestamp\":\"2021-09-16T21:51:03.096935Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659802,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b817fe0a78cbc9235abc6adce11beb39\",\"sha256Checksum\":\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:50:00.880Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8c564a5c-edc3-541c-989b-c9b6584537a0", "observed_start_time": "2021-09-16T21:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:50:02.277Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:50:00.880Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c", "2021-09-16T21:52:29.135Z", 6659802, "code42-exfil-share-datatype", "b817fe0a78cbc9235abc6adce11beb39", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:50:02.277Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.993Z 804e3b095828 Skyformation - 8176639218918911133 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711993 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console.runtimeconfig.json fsize=105 msg=Resource [Resource: file :: Test42Console.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.993Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.653Z ext_md5Checksum=ba8f99b0518b43d8e5cdf3ea1356c600 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105 ext_insertionTimestamp=2021-09-16T19:18:39.567470Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.651Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.993Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567470Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ba8f99b0518b43d8e5cdf3ea1356c600\",\"sha256Checksum\":\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\",\"createTimestamp\":\"2021-09-16T14:29:32.651Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.653Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c0e83a93-2af4-5d37-babd-10b1452f228d", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.993Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.653Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86", "2021-09-16T19:20:29.168Z", 105, "code42-exfil-share-datatype", "ba8f99b0518b43d8e5cdf3ea1356c600", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.993Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.651Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.008Z 804e3b095828 Skyformation - 2619095453314890827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712008 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-string-18.0.194-develop-194.jar fsize=14758 msg=Resource [Resource: file :: test42-fixture-string-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.008Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-string-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.375Z ext_md5Checksum=0c1b42a22fa41253e0a883a3c2147fa9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14758 ext_insertionTimestamp=2021-09-16T19:18:39.568043Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.371Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.008Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568043Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-string-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14758,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0c1b42a22fa41253e0a883a3c2147fa9\",\"sha256Checksum\":\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\",\"createTimestamp\":\"2021-09-16T14:29:26.371Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.375Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d692ff50-8a73-5b7c-887a-7ac69931a5ce", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.008Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-string-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.375Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c", "2021-09-16T19:20:29.168Z", 14758, "code42-exfil-share-datatype", "0c1b42a22fa41253e0a883a3c2147fa9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.008Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.371Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 465235528329935198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.563Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567718Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.281Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567718Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T14:29:30.281Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.563Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e7fd42a-7da6-52ff-a103-0ef33800ab52", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.563Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.168Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.281Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.820Z 804e3b095828 Skyformation - 3517425595454456489 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723820 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was created by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.820Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567369Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.820Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567369Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e830775-5347-525c-aedd-78a6ed9a978d", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.820Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "CREATED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.167Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.820Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 4664902644332636172 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar fsize=14514207 msg=Resource [Resource: file :: test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:29.203Z ext_md5Checksum=34dd2200b09a5c51bbd84acdeb98b606 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14514207 ext_insertionTimestamp=2021-09-16T19:18:39.567904Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:28.792Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567904Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14514207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"34dd2200b09a5c51bbd84acdeb98b606\",\"sha256Checksum\":\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\",\"createTimestamp\":\"2021-09-16T14:29:28.792Z\",\"modifyTimestamp\":\"2021-09-16T14:29:29.203Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1a735af4-fe4a-5bf6-8aa8-32b39f6cb717", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:29.203Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e", "2021-09-16T19:20:29.158Z", 14514207, "code42-exfil-share-datatype", "34dd2200b09a5c51bbd84acdeb98b606", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:28.792Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:23:01.992Z 804e3b095828 Skyformation - 134014797071545939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 dproc=file events dtz=default-tenant end=1631823781992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:23:01.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:23:00.252Z ext_md5Checksum=e95fbbc4261d5827634041a0f12107a0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657279 ext_insertionTimestamp=2021-09-16T20:23:47.534223Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:23:01.992Z\",\"insertionTimestamp\":\"2021-09-16T20:23:47.534223Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657279,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e95fbbc4261d5827634041a0f12107a0\",\"sha256Checksum\":\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:23:00.252Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36285ceb-2bb5-537c-aee4-140da8e61c9d", "observed_start_time": "2021-09-16T20:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:23:01.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T20:23:00.252Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09", "2021-09-16T20:24:29.211Z", 6657279, "code42-exfil-share-datatype", "e95fbbc4261d5827634041a0f12107a0", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:23:01.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:39:00.979Z 804e3b095828 Skyformation - 2580885261986268761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 dproc=file events dtz=default-tenant end=1631831940979 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:39:00.979Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:39:00.479Z ext_md5Checksum=693b07e79c0ed75e36f7a60f836ef1a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661223 ext_insertionTimestamp=2021-09-16T22:39:31.810355Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:39:00.979Z\",\"insertionTimestamp\":\"2021-09-16T22:39:31.810355Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661223,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"693b07e79c0ed75e36f7a60f836ef1a9\",\"sha256Checksum\":\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:39:00.479Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bbe544a7-4712-503d-8e2b-e850af9a8a35", "observed_start_time": "2021-09-16T22:39:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "fadc76ee-cf2d-4cbd-b0ed-7a1ca4a07aec", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:39:00.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:39:00.479Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0", "2021-09-16T22:40:29.619Z", 6661223, "code42-exfil-share-datatype", "693b07e79c0ed75e36f7a60f836ef1a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:39:00.979Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 3347113359677108016 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XmlSerializer.dll fsize=8704 msg=Resource [Resource: file :: System.Xml.XmlSerializer.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlSerializer.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=0cc4665479b5e519b2597b93577de1aa ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8704 ext_insertionTimestamp=2021-09-16T19:18:39.567112Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567112Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlSerializer.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8704,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0cc4665479b5e519b2597b93577de1aa\",\"sha256Checksum\":\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8e336e0-e775-5f81-a1d7-1d703bd8e157", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlSerializer.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba", "2021-09-16T19:20:29.167Z", 8704, "code42-exfil-share-datatype", "0cc4665479b5e519b2597b93577de1aa", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:23:02.291Z 804e3b095828 Skyformation - 2954122368002305264 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 dproc=file events dtz=default-tenant end=1631827382291 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:23:02.291Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:23:00.987Z ext_md5Checksum=8a6258884d44fdd107707ad5c0cf2bea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659019 ext_insertionTimestamp=2021-09-16T21:23:35.061605Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:23:02.291Z\",\"insertionTimestamp\":\"2021-09-16T21:23:35.061605Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659019,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8a6258884d44fdd107707ad5c0cf2bea\",\"sha256Checksum\":\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:23:00.987Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:23:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61418_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e37db0d-c059-56cc-8397-ed743e0042df", "observed_start_time": "2021-09-16T21:23:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:23:02.291Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:23:00.987Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b", "2021-09-16T21:24:29.095Z", 6659019, "code42-exfil-share-datatype", "8a6258884d44fdd107707ad5c0cf2bea", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:23:02.291Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "eb1b756a", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "email", "value": "kathy.kane@c42se.com"}, "type": "warning", "action_id": "194360e4-b8f2-44b6-9386-2d9df7a3a549", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "email", "value": "kathy.kane@c42se.com", "id": "eb1b756a"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-8db39845-c60b-4d55-b5e2-0c1ad3f3e441", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T09:41:56.216Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
+{"schema_version": "1.1.3", "type": "investigation", "search-txt": "email:\"kathy.kane@c42se.com\"", "actions": "[{\"arg\":\"kathy.kane@c42se.com\",\"created\":\"2021-09-17T08:46:04.089Z\",\"id\":\"collect-e0239c51\",\"result\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:46:04.306Z\",\"uuid\":\"e62a0e76-42ce-4977-80a5-d096a2a9bc10\"},{\"arg\":{\"type\":\"email\",\"value\":\"kathy.kane@c42se.com\"},\"created\":\"2021-09-17T08:46:04.326Z\",\"id\":\"investigate-8afc4a57\",\"result\":{\"data\":[{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T21:23:02.291Z 804e3b095828 Skyformation - 2954122368002305264 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 dproc=file events dtz=default-tenant end=1631827382291 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:23:02.291Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:23:00.987Z ext_md5Checksum=8a6258884d44fdd107707ad5c0cf2bea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659019 ext_insertionTimestamp=2021-09-16T21:23:35.061605Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:23:02.291Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:23:35.061605Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659019,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8a6258884d44fdd107707ad5c0cf2bea\\\",\\\"sha256Checksum\\\":\\\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:23:00.987Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61418_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5e37db0d-c059-56cc-8397-ed743e0042df\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:23:02.291Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:23:00.987Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\",\"2021-09-16T21:24:29.095Z\",6659019,\"code42-exfil-share-datatype\",\"8a6258884d44fdd107707ad5c0cf2bea\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:23:02.291Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 3347113359677108016 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XmlSerializer.dll fsize=8704 msg=Resource [Resource: file :: System.Xml.XmlSerializer.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlSerializer.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=0cc4665479b5e519b2597b93577de1aa ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8704 ext_insertionTimestamp=2021-09-16T19:18:39.567112Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.745Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567112Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XmlSerializer.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":8704,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"0cc4665479b5e519b2597b93577de1aa\\\",\\\"sha256Checksum\\\":\\\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a8e336e0-e775-5f81-a1d7-1d703bd8e157\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.745Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XmlSerializer.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\",\"2021-09-16T19:20:29.167Z\",8704,\"code42-exfil-share-datatype\",\"0cc4665479b5e519b2597b93577de1aa\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.745Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:39:00.979Z 804e3b095828 Skyformation - 2580885261986268761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 dproc=file events dtz=default-tenant end=1631831940979 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:39:00.979Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:39:00.479Z ext_md5Checksum=693b07e79c0ed75e36f7a60f836ef1a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661223 ext_insertionTimestamp=2021-09-16T22:39:31.810355Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:39:00.979Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:39:31.810355Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661223,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"693b07e79c0ed75e36f7a60f836ef1a9\\\",\\\"sha256Checksum\\\":\\\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:39:00.479Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61427_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bbe544a7-4712-503d-8e2b-e850af9a8a35\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:39:00.979Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:39:00.479Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\",\"2021-09-16T22:40:29.619Z\",6661223,\"code42-exfil-share-datatype\",\"693b07e79c0ed75e36f7a60f836ef1a9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:39:00.979Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:23:01.992Z 804e3b095828 Skyformation - 134014797071545939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 dproc=file events dtz=default-tenant end=1631823781992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:23:01.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:23:00.252Z ext_md5Checksum=e95fbbc4261d5827634041a0f12107a0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657279 ext_insertionTimestamp=2021-09-16T20:23:47.534223Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:23:01.992Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:23:47.534223Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657279,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e95fbbc4261d5827634041a0f12107a0\\\",\\\"sha256Checksum\\\":\\\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:23:00.252Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"172.20.64.15\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61341_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-36285ceb-2bb5-537c-aee4-140da8e61c9d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:23:01.992Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"172.20.64.15\",\"2021-09-16T20:23:00.252Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\",\"2021-09-16T20:24:29.211Z\",6657279,\"code42-exfil-share-datatype\",\"e95fbbc4261d5827634041a0f12107a0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:23:01.992Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 4664902644332636172 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar fsize=14514207 msg=Resource [Resource: file :: test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:29.203Z ext_md5Checksum=34dd2200b09a5c51bbd84acdeb98b606 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14514207 ext_insertionTimestamp=2021-09-16T19:18:39.567904Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:28.792Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567904Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14514207,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"34dd2200b09a5c51bbd84acdeb98b606\\\",\\\"sha256Checksum\\\":\\\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:28.792Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:29.203Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61263_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1a735af4-fe4a-5bf6-8aa8-32b39f6cb717\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:29.203Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\",\"2021-09-16T19:20:29.158Z\",14514207,\"code42-exfil-share-datatype\",\"34dd2200b09a5c51bbd84acdeb98b606\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:28.792Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.820Z 804e3b095828 Skyformation - 3517425595454456489 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723820 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was created by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.820Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567369Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.820Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567369Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"nethost.h\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"SourceCode\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"SourceCode\\\",\\\"fileSize\\\":2709,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"43b6f3115aa52ad9540bdbe756e1a9b3\\\",\\\"sha256Checksum\\\":\\\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/x-chdr\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9e830775-5347-525c-aedd-78a6ed9a978d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:23.820Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"SourceCode\",\"Endpoint\",\"nethost.h\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:38:56Z\",\"text/x-chdr\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"2021-09-16T19:20:29.167Z\",2709,\"code42-exfil-share-datatype\",\"43b6f3115aa52ad9540bdbe756e1a9b3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"SourceCode\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.820Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:38:56Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 465235528329935198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.563Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567718Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.281Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567718Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7657197,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"61898b6da7ebbf3a13be7c76ae49e5f5\\\",\\\"sha256Checksum\\\":\\\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:30.281Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:30.563Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4e7fd42a-7da6-52ff-a103-0ef33800ab52\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:30.563Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"2021-09-16T19:20:29.168Z\",7657197,\"code42-exfil-share-datatype\",\"61898b6da7ebbf3a13be7c76ae49e5f5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:30.281Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.008Z 804e3b095828 Skyformation - 2619095453314890827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712008 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-string-18.0.194-develop-194.jar fsize=14758 msg=Resource [Resource: file :: test42-fixture-string-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.008Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-string-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.375Z ext_md5Checksum=0c1b42a22fa41253e0a883a3c2147fa9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14758 ext_insertionTimestamp=2021-09-16T19:18:39.568043Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.371Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.008Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568043Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-string-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14758,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"0c1b42a22fa41253e0a883a3c2147fa9\\\",\\\"sha256Checksum\\\":\\\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:26.371Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:26.375Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d692ff50-8a73-5b7c-887a-7ac69931a5ce\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.008Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-string-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:26.375Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\",\"2021-09-16T19:20:29.168Z\",14758,\"code42-exfil-share-datatype\",\"0c1b42a22fa41253e0a883a3c2147fa9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.008Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:26.371Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.993Z 804e3b095828 Skyformation - 8176639218918911133 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711993 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console.runtimeconfig.json fsize=105 msg=Resource [Resource: file :: Test42Console.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.993Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.653Z ext_md5Checksum=ba8f99b0518b43d8e5cdf3ea1356c600 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105 ext_insertionTimestamp=2021-09-16T19:18:39.567470Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.651Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.993Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567470Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console.runtimeconfig.json\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Uncategorized\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":105,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"ba8f99b0518b43d8e5cdf3ea1356c600\\\",\\\"sha256Checksum\\\":\\\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.651Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.653Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/json\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c0e83a93-2af4-5d37-babd-10b1452f228d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.993Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Test42Console.runtimeconfig.json\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.653Z\",\"application/json\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\",\"2021-09-16T19:20:29.168Z\",105,\"code42-exfil-share-datatype\",\"ba8f99b0518b43d8e5cdf3ea1356c600\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Uncategorized\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.993Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.651Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:50:02.277Z 804e3b095828 Skyformation - 5602684442482280736 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 dproc=file events dtz=default-tenant end=1631829002277 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:50:02.277Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:50:00.880Z ext_md5Checksum=b817fe0a78cbc9235abc6adce11beb39 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659802 ext_insertionTimestamp=2021-09-16T21:51:03.096935Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:50:02.277Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:51:03.096935Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659802,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"b817fe0a78cbc9235abc6adce11beb39\\\",\\\"sha256Checksum\\\":\\\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:50:00.880Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61423_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8c564a5c-edc3-541c-989b-c9b6584537a0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:50:02.277Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:50:00.880Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\",\"2021-09-16T21:52:29.135Z\",6659802,\"code42-exfil-share-datatype\",\"b817fe0a78cbc9235abc6adce11beb39\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:50:02.277Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 1490067587399469079 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.147Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.567997Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.911Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567997Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-file-system-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7650176,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d2670e017c2aee21fbfa183360468e94\\\",\\\"sha256Checksum\\\":\\\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:30.911Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:31.147Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-600d5056-d56f-5d29-8735-28d002a0177c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:31.147Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"2021-09-16T19:20:29.157Z\",7650176,\"code42-exfil-share-datatype\",\"d2670e017c2aee21fbfa183360468e94\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:30.911Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.773Z 804e3b095828 Skyformation - 2796256343079738721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718773 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.773Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.342Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568031Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.148Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.773Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568031Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-rest-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6976661,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"f20102257ab369adb8dd6cb6c50014fe\\\",\\\"sha256Checksum\\\":\\\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.148Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.342Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61263_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-82473b8d-7e74-50ea-9744-5b08a75c0f86\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:18.773Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-rest-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.342Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"2021-09-16T19:20:29.159Z\",6976661,\"code42-exfil-share-datatype\",\"f20102257ab369adb8dd6cb6c50014fe\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.773Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.148Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:15.893Z 804e3b095828 Skyformation - 4881423058587582298 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715893 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.893Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.133Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567870Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:14.961Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:15.893Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567870Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-common-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6080452,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"08215631827e4179e243d27b5f502f90\\\",\\\"sha256Checksum\\\":\\\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:14.961Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:15.133Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fcfc53ce-2a59-58e6-8c35-da34b1db1be7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:15.893Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-common-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:15.133Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"2021-09-16T19:20:29.169Z\",6080452,\"code42-exfil-share-datatype\",\"08215631827e4179e243d27b5f502f90\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:15.893Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:14.961Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.769Z 804e3b095828 Skyformation - 6627546699421659495 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719769 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.769Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.052Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568143Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.979Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.769Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568143Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"test42-console-8.2.3.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2573374,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"aa7ef1099a4cd7eb288430e0f8621b0c\\\",\\\"sha256Checksum\\\":\\\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.979Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:19.052Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d3d31370-5f9b-5151-b1b4-1106238db7e9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:19.769Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-console-8.2.3.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:19.052Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"2021-09-16T19:20:29.167Z\",2573374,\"code42-exfil-share-datatype\",\"aa7ef1099a4cd7eb288430e0f8621b0c\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.769Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.979Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:39:00.951Z 804e3b095828 Skyformation - 3085221760796449695 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 dproc=file events dtz=default-tenant end=1631828340951 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:39:00.951Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:39:00.700Z ext_md5Checksum=5a797dc0a97885951ef7fd87b6f564fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659483 ext_insertionTimestamp=2021-09-16T21:39:50.425897Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:39:00.951Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:39:50.425897Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659483,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5a797dc0a97885951ef7fd87b6f564fe\\\",\\\"sha256Checksum\\\":\\\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:39:00.700Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-de89ae13-1740-5d1b-89bb-f85121f0cd75\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:39:00.951Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:39:00.700Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\",\"2021-09-16T21:40:29.785Z\",6659483,\"code42-exfil-share-datatype\",\"5a797dc0a97885951ef7fd87b6f564fe\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:39:00.951Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.775Z 804e3b095828 Skyformation - 235457846511697461 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718775 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.775Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.687Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567939Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.378Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.775Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567939Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11047889,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"c32214157ad2def6a511701ce4e0a562\\\",\\\"sha256Checksum\\\":\\\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.378Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.687Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0d18a5dd-0e2a-5b84-b619-3d537c56b3d0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:18.775Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.687Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"2021-09-16T19:20:29.172Z\",11047889,\"code42-exfil-share-datatype\",\"c32214157ad2def6a511701ce4e0a562\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.775Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.378Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:14.828Z 804e3b095828 Skyformation - 4988657070909514900 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819714828 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:14.828Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:13.679Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567549Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:13.658Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:14.828Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567549Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"dotnet-Test42Runner-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":468043,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2fa8d4d1035f2e127169e5e649d52ed1\\\",\\\"sha256Checksum\\\":\\\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:13.658Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:13.679Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-747337c7-1290-5526-abdf-d50e6103d1ac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:14.828Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"dotnet-Test42Runner-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:13.679Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"2021-09-16T19:20:29.172Z\",468043,\"code42-exfil-share-datatype\",\"2fa8d4d1035f2e127169e5e649d52ed1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:14.828Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:13.658Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:59:02.980Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:01:17.003636Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661803,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"7a691f6c406d52373ad2c62e2f480bb3\\\",\\\"sha256Checksum\\\":\\\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:59:00.670Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a65e4551-47d7-5f70-a259-006cd2ea2894\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:59:02.980Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:59:00.670Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"2021-09-16T23:02:30.314Z\",6661803,\"code42-exfil-share-datatype\",\"7a691f6c406d52373ad2c62e2f480bb3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:59:02.980Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:28:00.876Z 804e3b095828 Skyformation - 8042611856875895468 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 dproc=file events dtz=default-tenant end=1631831280876 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:28:00.876Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:28:00.304Z ext_md5Checksum=453ec6ef064fa5bc0c6f50ee2d5204e5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660904 ext_insertionTimestamp=2021-09-16T22:28:42.643367Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:28:00.876Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:28:42.643367Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660904,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"453ec6ef064fa5bc0c6f50ee2d5204e5\\\",\\\"sha256Checksum\\\":\\\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:28:00.304Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61426_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5a4f38a7-721b-5a46-af92-9b379e22e83f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:28:00.876Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:28:00.304Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\",\"2021-09-16T22:30:29.500Z\",6660904,\"code42-exfil-share-datatype\",\"453ec6ef064fa5bc0c6f50ee2d5204e5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:28:00.876Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 5692899194704443110 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Java.sh fsize=165 msg=Resource [Resource: file :: launchTest42Console-Java.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Java.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.020Z ext_md5Checksum=3b387d2bf8ce6d3b92a5f1db751813f9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=165 ext_insertionTimestamp=2021-09-16T19:18:39.568109Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.019Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.994Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568109Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"launchTest42Console-Java.sh\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Script\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Script\\\",\\\"fileSize\\\":165,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3b387d2bf8ce6d3b92a5f1db751813f9\\\",\\\"sha256Checksum\\\":\\\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:41.019Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:41.020Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-sh\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-45612c08-8262-5116-a9f8-17732756f8ff\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.994Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Script\",\"Endpoint\",\"launchTest42Console-Java.sh\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:41.020Z\",\"application/x-sh\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\",\"2021-09-16T19:20:29.168Z\",165,\"code42-exfil-share-datatype\",\"3b387d2bf8ce6d3b92a5f1db751813f9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Script\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.994Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:41.019Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-75e7c90f-681b-5167-ab1f-93253718bf60\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.158Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.085Z 804e3b095828 Skyformation - 8692612087128247895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724085 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.085Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567190Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.085Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567190Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"WindowsBase.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d8a0e4361c61034952e56a4eaac26925\\\",\\\"sha256Checksum\\\":\\\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-08f2fe68-910f-5dc7-94c4-c7d30afc8519\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:24.085Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsBase.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"2021-09-16T19:20:29.170Z\",6656,\"code42-exfil-share-datatype\",\"d8a0e4361c61034952e56a4eaac26925\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.085Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:44:00.556Z 804e3b095828 Skyformation - 8674733544075329242 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 dproc=file events dtz=default-tenant end=1631828640556 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:44:00.556Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:44:00.149Z ext_md5Checksum=32ef24cfa95d52085eea12935c55f475 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659628 ext_insertionTimestamp=2021-09-16T21:45:15.841469Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:44:00.556Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:45:15.841469Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659628,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"32ef24cfa95d52085eea12935c55f475\\\",\\\"sha256Checksum\\\":\\\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:44:00.149Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-23911c2c-7e26-51bc-9fea-5f05b4c871cf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:44:00.556Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:44:00.149Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\",\"2021-09-16T21:46:29.997Z\",6659628,\"code42-exfil-share-datatype\",\"32ef24cfa95d52085eea12935c55f475\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:44:00.556Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.772Z 804e3b095828 Skyformation - 8294759705628931815 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.095Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.568008Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.884Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.772Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568008Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-file-system-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7650176,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d2670e017c2aee21fbfa183360468e94\\\",\\\"sha256Checksum\\\":\\\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:17.884Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.095Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f63d3086-bd17-55ab-81cc-54fc91e7d10b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:18.772Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.095Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"2021-09-16T19:20:29.172Z\",7650176,\"code42-exfil-share-datatype\",\"d2670e017c2aee21fbfa183360468e94\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.772Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:17.884Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:01:01.023Z 804e3b095828 Skyformation - 2456916627922492488 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 dproc=file events dtz=default-tenant end=1631822461023 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:01:01.023Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:01:00.608Z ext_md5Checksum=2ee6250bd1e7bd8600f0961bd3324d4e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656641 ext_insertionTimestamp=2021-09-16T20:02:04.344088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:01:01.023Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:02:04.344088Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656641,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2ee6250bd1e7bd8600f0961bd3324d4e\\\",\\\"sha256Checksum\\\":\\\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:01:00.608Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61339_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-fc4db0ba-18cc-5107-a914-084f635c52af\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:01:01.023Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:01:00.608Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\",\"2021-09-16T20:04:28.310Z\",6656641,\"code42-exfil-share-datatype\",\"2ee6250bd1e7bd8600f0961bd3324d4e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:01:01.023Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.821Z 804e3b095828 Skyformation - 1605658926549055429 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723821 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.821Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567392Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.821Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567392Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"netstandard.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":105472,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3d47f885a18937d6fd0fde935538560b\\\",\\\"sha256Checksum\\\":\\\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2481047e-5ae4-543b-9028-8e19e3e05566\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:23.821Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"netstandard.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"2021-09-16T19:20:29.170Z\",105472,\"code42-exfil-share-datatype\",\"3d47f885a18937d6fd0fde935538560b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.821Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:15.897Z 804e3b095828 Skyformation - 5723685368446080373 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715897 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar fsize=41227 msg=Resource [Resource: file :: test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.897Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.419Z ext_md5Checksum=e98fb5f87aed64e2d32116bc565d2dec ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=41227 ext_insertionTimestamp=2021-09-16T19:18:39.567796Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.414Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:15.897Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567796Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":41227,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e98fb5f87aed64e2d32116bc565d2dec\\\",\\\"sha256Checksum\\\":\\\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:15.414Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:15.419Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4386ebf1-b7bd-5cc7-9d76-25107a9a2069\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:15.897Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:15.419Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\",\"2021-09-16T19:20:29.157Z\",41227,\"code42-exfil-share-datatype\",\"e98fb5f87aed64e2d32116bc565d2dec\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:15.897Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:15.414Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.761Z 804e3b095828 Skyformation - 2980995002300610810 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719761 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.761Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.832Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567638Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.812Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.761Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567638Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":652056,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"23ba5e96a691edc4773fec0f88bf952f\\\",\\\"sha256Checksum\\\":\\\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.812Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.832Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c978eb4a-4e5b-5e42-870b-1d5172367949\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:19.761Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.832Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"2021-09-16T19:20:29.168Z\",652056,\"code42-exfil-share-datatype\",\"23ba5e96a691edc4773fec0f88bf952f\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.761Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.812Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:49:02.292Z 804e3b095828 Skyformation - 1350603041899679478 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 dproc=file events dtz=default-tenant end=1631832542292 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:49:02.292Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:49:00.527Z ext_md5Checksum=e36e7a007a335fab0b5c84fd64dfdccc ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661513 ext_insertionTimestamp=2021-09-16T22:50:23.782238Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:49:02.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:50:23.782238Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661513,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e36e7a007a335fab0b5c84fd64dfdccc\\\",\\\"sha256Checksum\\\":\\\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:49:00.527Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61444_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-af4fbb0a-af39-5538-9106-9b2db2646476\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:49:02.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:49:00.527Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\",\"2021-09-16T22:52:31.870Z\",6661513,\"code42-exfil-share-datatype\",\"e36e7a007a335fab0b5c84fd64dfdccc\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:49:02.292Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.801Z 804e3b095828 Skyformation - 621632533739725350 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723801 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.801Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567212Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.801Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567212Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libclrjit.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2741416,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"650f69041d44556a5f3bdbcace8b3dea\\\",\\\"sha256Checksum\\\":\\\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4ae4ea8f-75b0-5f70-bab5-178877150abf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:23.801Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libclrjit.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:29:02Z\",\"application/octet-stream\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"2021-09-16T19:20:29.158Z\",2741416,\"code42-exfil-share-datatype\",\"650f69041d44556a5f3bdbcace8b3dea\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.801Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:29:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:17:02.470Z 804e3b095828 Skyformation - 3355602177351257247 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 dproc=file events dtz=default-tenant end=1631823422470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:17:02.470Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:17:00.510Z ext_md5Checksum=79e223064e50c50dc63e89e30862e8f4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657105 ext_insertionTimestamp=2021-09-16T20:18:24.025397Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:17:02.470Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:18:24.025397Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657105,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"79e223064e50c50dc63e89e30862e8f4\\\",\\\"sha256Checksum\\\":\\\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:17:00.510Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61341_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6d5a20a2-f50e-5f19-a010-b1be1e470e1d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:17:02.470Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:17:00.510Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\",\"2021-09-16T20:20:29.219Z\",6657105,\"code42-exfil-share-datatype\",\"79e223064e50c50dc63e89e30862e8f4\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:17:02.470Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:15.898Z 804e3b095828 Skyformation - 4866351305492022215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715898 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.898Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:16.117Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567962Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.422Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:15.898Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567962Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-desktop-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26151827,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"4686b7fd21e7fb7459728108e94bdda5\\\",\\\"sha256Checksum\\\":\\\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:15.422Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:16.117Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f72d64ad-9c47-5fe9-abad-e1411db140d1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:15.898Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:16.117Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"2021-09-16T19:20:29.168Z\",26151827,\"code42-exfil-share-datatype\",\"4686b7fd21e7fb7459728108e94bdda5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:15.898Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:15.422Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:39:02.995Z 804e3b095828 Skyformation - 2457476870350379974 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 dproc=file events dtz=default-tenant end=1631824742995 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:39:02.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:39:00.749Z ext_md5Checksum=c777bda26af371c784639bf97c796a30 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657743 ext_insertionTimestamp=2021-09-16T20:40:03.955501Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:39:02.995Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:40:03.955501Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657743,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"c777bda26af371c784639bf97c796a30\\\",\\\"sha256Checksum\\\":\\\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:39:00.749Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61342_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8fd13adc-a57f-52b3-afec-f4d6286a241e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:39:02.995Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:39:00.749Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\",\"2021-09-16T20:40:29.204Z\",6657743,\"code42-exfil-share-datatype\",\"c777bda26af371c784639bf97c796a30\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:39:02.995Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 3519140269928418882 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.847Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567807Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.631Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567807Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7005905,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5f7aa4fdb5ef4c7a5a5124f614865982\\\",\\\"sha256Checksum\\\":\\\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:30.631Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:30.847Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c15684c1-40f1-5e8d-a549-ec971abac766\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:30.847Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"2021-09-16T19:20:29.168Z\",7005905,\"code42-exfil-share-datatype\",\"5f7aa4fdb5ef4c7a5a5124f614865982\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:30.631Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:12:03.215Z 804e3b095828 Skyformation - 6886991114765220858 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 dproc=file events dtz=default-tenant end=1631823123215 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:12:03.215Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:12:00.952Z ext_md5Checksum=326e1e96ac5b97f92334ae3ed0af00a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656960 ext_insertionTimestamp=2021-09-16T20:12:57.237021Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:12:03.215Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:12:57.237021Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656960,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"326e1e96ac5b97f92334ae3ed0af00a9\\\",\\\"sha256Checksum\\\":\\\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:12:00.952Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61340_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4187d125-6fed-5e14-872a-e781ac9c07c7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:12:03.215Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:12:00.952Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\",\"2021-09-16T20:14:29.101Z\",6656960,\"code42-exfil-share-datatype\",\"326e1e96ac5b97f92334ae3ed0af00a9\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:12:03.215Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 8983082904017481833 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:28.729Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567951Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.871Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567951Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-desktop-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26151827,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"4686b7fd21e7fb7459728108e94bdda5\\\",\\\"sha256Checksum\\\":\\\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:27.871Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:28.729Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61269_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ea36b47c-6754-5ecf-931a-a6132c50aa22\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:28.729Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"2021-09-16T19:20:29.170Z\",26151827,\"code42-exfil-share-datatype\",\"4686b7fd21e7fb7459728108e94bdda5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:27.871Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:55:02.138Z 804e3b095828 Skyformation - 729364201181628912 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 dproc=file events dtz=default-tenant end=1631825702138 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:55:02.138Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:55:00.753Z ext_md5Checksum=63d8ad93f3a8ccf161c446bd00ebe0ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658207 ext_insertionTimestamp=2021-09-16T20:56:21.765014Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:55:02.138Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:56:21.765014Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658207,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"63d8ad93f3a8ccf161c446bd00ebe0ee\\\",\\\"sha256Checksum\\\":\\\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:55:00.753Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61345_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-288534d9-fd19-501f-a62b-9ccd21200713\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:55:02.138Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:55:00.753Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\",\"2021-09-16T20:58:28.798Z\",6658207,\"code42-exfil-share-datatype\",\"63d8ad93f3a8ccf161c446bd00ebe0ee\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:55:02.138Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 8309860196715459145 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.239Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567649Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.212Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567649Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.MachineManager-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":626077,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8824ed0806692fe40c6cc57f282862d1\\\",\\\"sha256Checksum\\\":\\\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.212Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.239Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0e24644f-f291-5bd2-bc35-86a9b5d0b7a3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.239Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"2021-09-16T19:20:29.169Z\",626077,\"code42-exfil-share-datatype\",\"8824ed0806692fe40c6cc57f282862d1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.212Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:28:03.165Z 804e3b095828 Skyformation - 4940785117334694295 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 dproc=file events dtz=default-tenant end=1631824083165 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:28:03.165Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:28:00.813Z ext_md5Checksum=d4b2584cc8639725ef1a77f10489af6e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657424 ext_insertionTimestamp=2021-09-16T20:29:14.653406Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:28:03.165Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:29:14.653406Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657424,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d4b2584cc8639725ef1a77f10489af6e\\\",\\\"sha256Checksum\\\":\\\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:28:00.813Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61341_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-91bf6af3-6d39-5a96-81d4-c4908b781523\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:28:03.165Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:28:00.813Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\",\"2021-09-16T20:30:28.534Z\",6657424,\"code42-exfil-share-datatype\",\"d4b2584cc8639725ef1a77f10489af6e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:28:03.165Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 8233299408064618554 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567268Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.746Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567268Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libhostpolicy.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":315420,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"006913ffaf68f205cc00bd03cc0d3761\\\",\\\"sha256Checksum\\\":\\\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61262_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b22fa99e-4961-5cd7-94d9-94743bc7cc5a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.746Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libhostpolicy.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:42:18Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"2021-09-16T19:20:29.158Z\",315420,\"code42-exfil-share-datatype\",\"006913ffaf68f205cc00bd03cc0d3761\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.746Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:42:18Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:11:00.794Z 804e3b095828 Skyformation - 2404635122291901530 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 dproc=file events dtz=default-tenant end=1631830260794 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:11:00.794Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:11:00.379Z ext_md5Checksum=951245aef74b1e8b33f4500e499e686a ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660411 ext_insertionTimestamp=2021-09-16T22:12:24.819165Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:11:00.794Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:12:24.819165Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660411,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"951245aef74b1e8b33f4500e499e686a\\\",\\\"sha256Checksum\\\":\\\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:11:00.379Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61423_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cfed350e-a44b-53ce-b882-dc197c8f62b6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:11:00.794Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:11:00.379Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\",\"2021-09-16T22:12:29.328Z\",6660411,\"code42-exfil-share-datatype\",\"951245aef74b1e8b33f4500e499e686a\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:11:00.794Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.074Z 804e3b095828 Skyformation - 8477448688941154930 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724074 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.074Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566968Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.074Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566968Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Linq.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2b104a782e44ca704503ca9b3c635c9e\\\",\\\"sha256Checksum\\\":\\\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_14_61269_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e28b082b-fc8d-5d89-9b34-4381e18289c2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:24.074Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Linq.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"2021-09-16T19:20:29.167Z\",6144,\"code42-exfil-share-datatype\",\"2b104a782e44ca704503ca9b3c635c9e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.074Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:56:02.173Z 804e3b095828 Skyformation - 7188922889508140062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 dproc=file events dtz=default-tenant end=1631822162173 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:56:02.173Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:56:00.923Z ext_md5Checksum=fc552e5a9046ea13a5d6106e2b2f9b76 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656496 ext_insertionTimestamp=2021-09-16T19:56:39.322640Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:56:02.173Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:56:39.322640Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656496,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fc552e5a9046ea13a5d6106e2b2f9b76\\\",\\\"sha256Checksum\\\":\\\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:56:00.923Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61339_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5b13a540-ce0b-5885-ac3e-33c0b65dba06\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:56:02.173Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:56:00.923Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\",\"2021-09-16T19:58:28.306Z\",6656496,\"code42-exfil-share-datatype\",\"fc552e5a9046ea13a5d6106e2b2f9b76\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:56:02.173Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.079Z 804e3b095828 Skyformation - 5370534398414402294 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724079 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XmlDocument.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.XmlDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.079Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=447d8892131a4e11ea225e3b1ffe34b1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.079Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567101Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XmlDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"447d8892131a4e11ea225e3b1ffe34b1\\\",\\\"sha256Checksum\\\":\\\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f80475c4-c69b-58e5-a9ed-33af9056766f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:24.079Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XmlDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\",\"2021-09-16T19:20:29.171Z\",6656,\"code42-exfil-share-datatype\",\"447d8892131a4e11ea225e3b1ffe34b1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.079Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:18.770Z 804e3b095828 Skyformation - 6071486703917102800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718770 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.770Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.840Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567818Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.648Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:18.770Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567818Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7005905,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5f7aa4fdb5ef4c7a5a5124f614865982\\\",\\\"sha256Checksum\\\":\\\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:17.648Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:17.840Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-08118857-1290-5488-af20-857c21d6bdd1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:18.770Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:17.840Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"2021-09-16T19:20:29.169Z\",7005905,\"code42-exfil-share-datatype\",\"5f7aa4fdb5ef4c7a5a5124f614865982\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:18.770Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:17.648Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:44:01.388Z 804e3b095828 Skyformation - 1266689014865399645 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 dproc=file events dtz=default-tenant end=1631832241388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:44:01.388Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:44:00.938Z ext_md5Checksum=b40c0a5ea13afe384316a54705f0d1b4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661368 ext_insertionTimestamp=2021-09-16T22:44:58.435091Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:44:01.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:44:58.435091Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661368,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"b40c0a5ea13afe384316a54705f0d1b4\\\",\\\"sha256Checksum\\\":\\\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:44:00.938Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61427_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d639f22b-9cff-59ed-9021-3ad255581d0e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:44:01.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:44:00.938Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\",\"2021-09-16T22:46:30.421Z\",6661368,\"code42-exfil-share-datatype\",\"b40c0a5ea13afe384316a54705f0d1b4\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:44:01.388Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.755Z 804e3b095828 Skyformation - 1836552121230087232 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719755 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.755Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.755Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567661Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.736Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.755Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567661Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.MachineManager-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":626077,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8824ed0806692fe40c6cc57f282862d1\\\",\\\"sha256Checksum\\\":\\\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:18.736Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:18.755Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-28195e6b-c15a-559b-a699-d2f6641591b7\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:19.755Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:18.755Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"2021-09-16T19:20:29.157Z\",626077,\"code42-exfil-share-datatype\",\"8824ed0806692fe40c6cc57f282862d1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.755Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:18.736Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 146293528143524055 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566867Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.743Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566867Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.ValueTuple.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":5632,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"749df27ac6199cfa7c4b38c78528d3c7\\\",\\\"sha256Checksum\\\":\\\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1abdcd59-cf9e-5f35-bf4b-d2994605bd55\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.743Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ValueTuple.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"2021-09-16T19:20:29.169Z\",5632,\"code42-exfil-share-datatype\",\"749df27ac6199cfa7c4b38c78528d3c7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.743Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:33:01.545Z 804e3b095828 Skyformation - 7073850292788359537 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 dproc=file events dtz=default-tenant end=1631827981545 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:33:01.545Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:33:00.213Z ext_md5Checksum=20d1f8a835b0834eb7b5d80569deed62 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659309 ext_insertionTimestamp=2021-09-16T21:34:24.032240Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:33:01.545Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:34:24.032240Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659309,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"20d1f8a835b0834eb7b5d80569deed62\\\",\\\"sha256Checksum\\\":\\\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:33:00.213Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5369c67b-c8ed-5b7f-81d6-ec60324367ab\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:33:01.545Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:33:00.213Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\",\"2021-09-16T21:34:28.994Z\",6659309,\"code42-exfil-share-datatype\",\"20d1f8a835b0834eb7b5d80569deed62\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:33:01.545Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 4590047523480219385 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.338Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567627Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.318Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567627Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/dotnet/\\\",\\\"fileName\\\":\\\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":652056,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"23ba5e96a691edc4773fec0f88bf952f\\\",\\\"sha256Checksum\\\":\\\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.318Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.338Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5e9f4477-1d64-576f-b3a8-241c6015add6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.338Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"2021-09-16T19:20:29.166Z\",652056,\"code42-exfil-share-datatype\",\"23ba5e96a691edc4773fec0f88bf952f\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.318Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4770681899815013348 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566957Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566957Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Linq.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2b104a782e44ca704503ca9b3c635c9e\\\",\\\"sha256Checksum\\\":\\\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e5d743d0-0232-5b8e-b0cb-1edd0490dd9f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Linq.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"2021-09-16T19:20:29.170Z\",6144,\"code42-exfil-share-datatype\",\"2b104a782e44ca704503ca9b3c635c9e\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.818Z 804e3b095828 Skyformation - 1887769325684873078 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723818 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=mscorlib.dll fsize=57216 msg=Resource [Resource: file :: mscorlib.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.818Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=mscorlib.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T18:07:34Z ext_md5Checksum=9720675697af7ba93cd049a9b7f757ef ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=57216 ext_insertionTimestamp=2021-09-16T19:18:39.567347Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T18:07:34Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.818Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567347Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"mscorlib.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":57216,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"9720675697af7ba93cd049a9b7f757ef\\\",\\\"sha256Checksum\\\":\\\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\\\",\\\"createTimestamp\\\":\\\"2020-01-17T18:07:34Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T18:07:34Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ccf85660-82e2-5086-a281-3206e1b2858e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:23.818Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"mscorlib.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T18:07:34Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\",\"2021-09-16T19:20:29.167Z\",57216,\"code42-exfil-share-datatype\",\"9720675697af7ba93cd049a9b7f757ef\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.818Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T18:07:34Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 9109378012419032857 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.dll fsize=54784 msg=Resource [Resource: file :: Test42Console-8.2.3.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.508Z ext_md5Checksum=d69ac3af560428f6948dc20b997161ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=54784 ext_insertionTimestamp=2021-09-16T19:18:39.567403Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.502Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.997Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567403Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":54784,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d69ac3af560428f6948dc20b997161ee\\\",\\\"sha256Checksum\\\":\\\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.502Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.508Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-71cfb374-ab6b-5662-ab30-1b3fb949df3c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.997Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Test42Console-8.2.3.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.508Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\",\"2021-09-16T19:20:29.167Z\",54784,\"code42-exfil-share-datatype\",\"d69ac3af560428f6948dc20b997161ee\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.997Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.502Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:34:01.973Z 804e3b095828 Skyformation - 2524988023863085362 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 dproc=file events dtz=default-tenant end=1631824441973 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:34:01.973Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:34:00.215Z ext_md5Checksum=ff960d04995e3896e1e5f9b9280fa4ab ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657598 ext_insertionTimestamp=2021-09-16T20:34:41.194795Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:34:01.973Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:34:41.194795Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6657598,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"ff960d04995e3896e1e5f9b9280fa4ab\\\",\\\"sha256Checksum\\\":\\\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:34:00.215Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61340_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cab0f6ad-bf33-5b50-a385-5e8c1204635d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:34:01.973Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:34:00.215Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\",\"2021-09-16T20:36:28.548Z\",6657598,\"code42-exfil-share-datatype\",\"ff960d04995e3896e1e5f9b9280fa4ab\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:34:01.973Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 2213325285618451753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.446Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568020Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568020Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-rest-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6976661,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"f20102257ab369adb8dd6cb6c50014fe\\\",\\\"sha256Checksum\\\":\\\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:31.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:31.446Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_14_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cd8f9d6d-f964-5596-b969-1adc4cbab814\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-rest-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:31.446Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"2021-09-16T19:20:29.167Z\",6976661,\"code42-exfil-share-datatype\",\"f20102257ab369adb8dd6cb6c50014fe\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:31.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 3843752372852811386 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.005Z ext_md5Checksum=2d2bf0d9382070b7cca29a72b3936e5d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.005Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.994Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568088Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"launchTest42Console-Dotnet.sh\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Script\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Script\\\",\\\"fileSize\\\":202,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2d2bf0d9382070b7cca29a72b3936e5d\\\",\\\"sha256Checksum\\\":\\\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:41.005Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:41.005Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-sh\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bf1190c9-a884-5c2a-bb2c-2795c5d957d1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.994Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Script\",\"Endpoint\",\"launchTest42Console-Dotnet.sh\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:41.005Z\",\"application/x-sh\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\",\"2021-09-16T19:20:29.167Z\",202,\"code42-exfil-share-datatype\",\"2d2bf0d9382070b7cca29a72b3936e5d\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Script\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.994Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:41.005Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.996Z 804e3b095828 Skyformation - 3176029036093175203 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711996 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-runtime-3.1.2-osx-x64.tar.gz fsize=29915862 msg=Resource [Resource: file :: dotnet-runtime-3.1.2-osx-x64.tar.gz] was deleted by [kathy.kane@c42se.com] proto=gz requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.996Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-runtime-3.1.2-osx-x64.tar.gz ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/gzip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:36.132Z ext_md5Checksum=f83a55de32ce1a89fb5b123257830cba ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=29915862 ext_insertionTimestamp=2021-09-16T19:18:39.567560Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:35.234Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/gzip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.996Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567560Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"dotnet-runtime-3.1.2-osx-x64.tar.gz\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":29915862,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"f83a55de32ce1a89fb5b123257830cba\\\",\\\"sha256Checksum\\\":\\\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:35.234Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:36.132Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/gzip\\\",\\\"mimeTypeByExtension\\\":\\\"application/gzip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61269_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2b217573-785b-532d-860e-9598234213e8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.996Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"dotnet-runtime-3.1.2-osx-x64.tar.gz\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:36.132Z\",\"application/gzip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\",\"2021-09-16T19:20:29.167Z\",29915862,\"code42-exfil-share-datatype\",\"f83a55de32ce1a89fb5b123257830cba\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.996Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:35.234Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.747Z 804e3b095828 Skyformation - 6719904774936520368 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711747 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.747Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567380Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.747Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567380Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"netstandard.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":105472,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3d47f885a18937d6fd0fde935538560b\\\",\\\"sha256Checksum\\\":\\\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7c9d9285-5d31-550b-a4b2-9fd3d3b8a388\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.747Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"netstandard.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"2021-09-16T19:20:29.171Z\",105472,\"code42-exfil-share-datatype\",\"3d47f885a18937d6fd0fde935538560b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.747Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 58574569231396443 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.487Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567858Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.287Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567858Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-common-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6080452,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"08215631827e4179e243d27b5f502f90\\\",\\\"sha256Checksum\\\":\\\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:27.287Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:27.487Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2080f524-24c7-5036-968e-df2b85f1b54f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-common-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:27.487Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"2021-09-16T19:20:29.170Z\",6080452,\"code42-exfil-share-datatype\",\"08215631827e4179e243d27b5f502f90\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:27.287Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 2397866919275056029 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Web.HttpUtility.dll fsize=36864 msg=Resource [Resource: file :: System.Web.HttpUtility.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Web.HttpUtility.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=306b1de856625f7499d783f7b4b79f38 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36864 ext_insertionTimestamp=2021-09-16T19:18:39.566889Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.743Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566889Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Web.HttpUtility.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":36864,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"306b1de856625f7499d783f7b4b79f38\\\",\\\"sha256Checksum\\\":\\\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-811d4e91-e46b-5844-9af9-7c850abf3da3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.743Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Web.HttpUtility.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\",\"2021-09-16T19:20:29.168Z\",36864,\"code42-exfil-share-datatype\",\"306b1de856625f7499d783f7b4b79f38\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.743Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:34:01.736Z 804e3b095828 Skyformation - 2573052291884632109 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 dproc=file events dtz=default-tenant end=1631820841736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:34:01.736Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:34:00.437Z ext_md5Checksum=5082d25b519827369f4026d1de2ee6ca ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655858 ext_insertionTimestamp=2021-09-16T19:34:57.134540Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:34:01.736Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:34:57.134540Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6655858,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"5082d25b519827369f4026d1de2ee6ca\\\",\\\"sha256Checksum\\\":\\\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:34:00.437Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61335_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4d0c40d9-1a17-5018-b60d-c3342b98c94c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:34:01.736Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:34:00.437Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\",\"2021-09-16T19:36:28.977Z\",6655858,\"code42-exfil-share-datatype\",\"5082d25b519827369f4026d1de2ee6ca\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:34:01.736Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:06:01.487Z 804e3b095828 Skyformation - 6710622959611147958 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 dproc=file events dtz=default-tenant end=1631826361487 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:06:01.487Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:06:00.163Z ext_md5Checksum=60bf5e7434748875904b3d240e9933b7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658526 ext_insertionTimestamp=2021-09-16T21:07:13.335410Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:06:01.487Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:07:13.335410Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658526,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"60bf5e7434748875904b3d240e9933b7\\\",\\\"sha256Checksum\\\":\\\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:06:00.163Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61346_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-367d899b-650f-51b4-a6a1-0534a3961b75\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:06:01.487Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:06:00.163Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\",\"2021-09-16T21:08:28.978Z\",6658526,\"code42-exfil-share-datatype\",\"60bf5e7434748875904b3d240e9933b7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:06:01.487Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 7619218699635329950 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567201Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.745Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567201Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libclrjit.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2741416,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"650f69041d44556a5f3bdbcace8b3dea\\\",\\\"sha256Checksum\\\":\\\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:29:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-66849bfc-3193-508e-8ee8-6bb759846345\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.745Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libclrjit.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:29:02Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"2021-09-16T19:20:29.167Z\",2741416,\"code42-exfil-share-datatype\",\"650f69041d44556a5f3bdbcace8b3dea\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.745Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:29:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:17:01.240Z 804e3b095828 Skyformation - 6379287197034431494 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 dproc=file events dtz=default-tenant end=1631827021240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:17:01.240Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:17:00.229Z ext_md5Checksum=37d786d2ffe3997a1a4913f817e1163c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658845 ext_insertionTimestamp=2021-09-16T21:18:05.961899Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:17:01.240Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:18:05.961899Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658845,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"37d786d2ffe3997a1a4913f817e1163c\\\",\\\"sha256Checksum\\\":\\\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:17:00.229Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61401_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4e4fc7d1-49ea-5c9b-bca5-6f1b79386f29\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:17:01.240Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:17:00.229Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\",\"2021-09-16T21:18:29.165Z\",6658845,\"code42-exfil-share-datatype\",\"37d786d2ffe3997a1a4913f817e1163c\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:17:01.240Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:55:01.913Z 804e3b095828 Skyformation - 1768128187348227515 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 dproc=file events dtz=default-tenant end=1631829301913 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:55:01.913Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:55:00.543Z ext_md5Checksum=dc00517c1ea40d76a86ac0775630315b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659947 ext_insertionTimestamp=2021-09-16T21:56:06.248063Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:55:01.913Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:56:06.248063Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659947,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"dc00517c1ea40d76a86ac0775630315b\\\",\\\"sha256Checksum\\\":\\\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:55:00.543Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61422_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-15c0c9b0-6bdf-53a1-add0-1f2928d4286d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:55:01.913Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:55:00.543Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\",\"2021-09-16T21:58:29.321Z\",6659947,\"code42-exfil-share-datatype\",\"dc00517c1ea40d76a86ac0775630315b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:55:01.913Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:39:03.445Z 804e3b095828 Skyformation - 2624752478966021475 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 dproc=file events dtz=default-tenant end=1631821143445 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:39:03.445Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:39:01.028Z ext_md5Checksum=2f0e54e1e35e34e9a4b6c5b586789edf ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656003 ext_insertionTimestamp=2021-09-16T19:40:23.773101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:39:03.445Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:40:23.773101Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656003,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2f0e54e1e35e34e9a4b6c5b586789edf\\\",\\\"sha256Checksum\\\":\\\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:39:01.028Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61338_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d473561a-d486-58d7-9d54-79dca5b2d69e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:39:03.445Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:39:01.028Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\",\"2021-09-16T19:40:28.880Z\",6656003,\"code42-exfil-share-datatype\",\"2f0e54e1e35e34e9a4b6c5b586789edf\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:39:03.445Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:01:01.612Z 804e3b095828 Skyformation - 5476861324589104236 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 dproc=file events dtz=default-tenant end=1631829661612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:01:01.612Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:01:00.223Z ext_md5Checksum=aa34550e46232e041e8738f575568b63 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660121 ext_insertionTimestamp=2021-09-16T22:01:32.790174Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:01:01.612Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:01:32.790174Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660121,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"aa34550e46232e041e8738f575568b63\\\",\\\"sha256Checksum\\\":\\\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:01:00.223Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61423_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7f05d117-a06c-5922-8649-7708e4d80765\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:01:01.612Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:01:00.223Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\",\"2021-09-16T22:04:30.120Z\",6660121,\"code42-exfil-share-datatype\",\"aa34550e46232e041e8738f575568b63\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:01:01.612Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:06:01.028Z 804e3b095828 Skyformation - 8997259429135136842 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 dproc=file events dtz=default-tenant end=1631829961028 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:06:01.028Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:06:00.773Z ext_md5Checksum=e3826febfa687b19d431037a05e3d695 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660266 ext_insertionTimestamp=2021-09-16T22:06:57.577426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:06:01.028Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:06:57.577426Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660266,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"e3826febfa687b19d431037a05e3d695\\\",\\\"sha256Checksum\\\":\\\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:06:00.773Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61424_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0c80d806-8279-587b-8b43-c95ce2fcdd89\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:06:01.028Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:06:00.773Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\",\"2021-09-16T22:08:29.515Z\",6660266,\"code42-exfil-share-datatype\",\"e3826febfa687b19d431037a05e3d695\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:06:01.028Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:02.481Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:55:54.847061Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661687,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3df126f4a090da12f2c29b6e5c1c29da\\\",\\\"sha256Checksum\\\":\\\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:00.206Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1d9f33fa-cc28-5fe5-9975-5003f91369d6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:02.481Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:55:00.206Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"2021-09-16T22:58:29.755Z\",6661687,\"code42-exfil-share-datatype\",\"3df126f4a090da12f2c29b6e5c1c29da\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:55:02.481Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.033Z 804e3b095828 Skyformation - 5428778102527363807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712033 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.033Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.287Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567537Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.033Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567537Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"dotnet-Test42Runner-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":468043,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"2fa8d4d1035f2e127169e5e649d52ed1\\\",\\\"sha256Checksum\\\":\\\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:26.269Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:26.287Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-04487d78-acfd-5735-a210-f113f8855f9c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.033Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"dotnet-Test42Runner-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:26.287Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"2021-09-16T19:20:29.169Z\",468043,\"code42-exfil-share-datatype\",\"2fa8d4d1035f2e127169e5e649d52ed1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.033Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:26.269Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:28:01.712Z 804e3b095828 Skyformation - 891655873053505721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 dproc=file events dtz=default-tenant end=1631827681712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:28:01.712Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:28:00.665Z ext_md5Checksum=043ea115b4517db2f0aa7c5853f7385b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659164 ext_insertionTimestamp=2021-09-16T21:28:58.572803Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:28:01.712Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:28:58.572803Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6659164,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"043ea115b4517db2f0aa7c5853f7385b\\\",\\\"sha256Checksum\\\":\\\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:28:00.665Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61421_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d5a79131-010e-5b41-9357-c3586091d05e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:28:01.712Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:28:00.665Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\",\"2021-09-16T21:30:29.019Z\",6659164,\"code42-exfil-share-datatype\",\"043ea115b4517db2f0aa7c5853f7385b\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:28:01.712Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.078Z 804e3b095828 Skyformation - 7299018334312800224 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724078 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.078Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567035Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.078Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567035Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fef6c873d31e77de3f5c254593f606d0\\\",\\\"sha256Checksum\\\":\\\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f91637db-83e4-5758-b551-7c227aba1a5d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:24.078Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"2021-09-16T19:20:29.168Z\",6144,\"code42-exfil-share-datatype\",\"fef6c873d31e77de3f5c254593f606d0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.078Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 2798890335140955527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567023Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567023Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6144,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fef6c873d31e77de3f5c254593f606d0\\\",\\\"sha256Checksum\\\":\\\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ede94b18-04d2-554a-90e6-ab609600fa70\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"2021-09-16T19:20:29.167Z\",6144,\"code42-exfil-share-datatype\",\"fef6c873d31e77de3f5c254593f606d0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 6610991199308768678 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567179Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.745Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567179Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"WindowsBase.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"d8a0e4361c61034952e56a4eaac26925\\\",\\\"sha256Checksum\\\":\\\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-85a1f9cb-fdf2-5bd3-8178-3d11c1f5cec4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.745Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsBase.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"2021-09-16T19:20:29.168Z\",6656,\"code42-exfil-share-datatype\",\"d8a0e4361c61034952e56a4eaac26925\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.745Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:01:00.819Z 804e3b095828 Skyformation - 4261722877678484633 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 dproc=file events dtz=default-tenant end=1631826060819 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:01:00.819Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:01:00.560Z ext_md5Checksum=da192fa26ed85e10ce7bb718251110ad ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658381 ext_insertionTimestamp=2021-09-16T21:01:47.308430Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:01:00.819Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:01:47.308430Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658381,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"da192fa26ed85e10ce7bb718251110ad\\\",\\\"sha256Checksum\\\":\\\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:01:00.560Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"172.20.64.15\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61345_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7711c718-0e21-5675-bb34-071d60939878\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:01:00.819Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"172.20.64.15\",\"2021-09-16T21:01:00.560Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\",\"2021-09-16T21:02:28.778Z\",6658381,\"code42-exfil-share-datatype\",\"da192fa26ed85e10ce7bb718251110ad\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:01:00.819Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:27.623Z 804e3b095828 Skyformation - 3964934661273873169 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819727623 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was created by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:27.623Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:27.409Z ext_md5Checksum=232b292616f09cef3e0e8ba9805a2963 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568099Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:27.408Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:27.623Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568099Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"launchTest42Console-Dotnet.sh\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Script\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Script\\\",\\\"fileSize\\\":202,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"232b292616f09cef3e0e8ba9805a2963\\\",\\\"sha256Checksum\\\":\\\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:27.408Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:27.409Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-sh\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0e09b581-9e7d-5195-8a38-88102b9c437d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:27.623Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Script\",\"Endpoint\",\"launchTest42Console-Dotnet.sh\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:27.409Z\",\"application/x-sh\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\",\"2021-09-16T19:20:29.167Z\",202,\"code42-exfil-share-datatype\",\"232b292616f09cef3e0e8ba9805a2963\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Script\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:27.623Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:27.408Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:23:01.314Z 804e3b095828 Skyformation - 930370924908933384 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 dproc=file events dtz=default-tenant end=1631820181314 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:23:01.314Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:23:00.067Z ext_md5Checksum=8ce945a5034d673a8c3df84df944e9e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655539 ext_insertionTimestamp=2021-09-16T19:24:05.872543Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:23:01.314Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:24:05.872543Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6655539,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8ce945a5034d673a8c3df84df944e9e2\\\",\\\"sha256Checksum\\\":\\\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:23:00.067Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61298_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-edf54539-1473-5d66-97c1-f95cf9899b35\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:23:01.314Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:23:00.067Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\",\"2021-09-16T19:24:29.929Z\",6655539,\"code42-exfil-share-datatype\",\"8ce945a5034d673a8c3df84df944e9e2\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:23:01.314Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:50:02.065Z 804e3b095828 Skyformation - 8498846088421542075 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 dproc=file events dtz=default-tenant end=1631821802065 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:50:02.065Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:50:00.154Z ext_md5Checksum=419c9c07c999bc2c71e9c8e0d74b3977 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656322 ext_insertionTimestamp=2021-09-16T19:51:24.240399Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:50:02.065Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:51:24.240399Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656322,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"419c9c07c999bc2c71e9c8e0d74b3977\\\",\\\"sha256Checksum\\\":\\\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:50:00.154Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61338_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b860517a-d359-5618-b9da-cbb484cb38e6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:50:02.065Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:50:00.154Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\",\"2021-09-16T19:52:28.142Z\",6656322,\"code42-exfil-share-datatype\",\"419c9c07c999bc2c71e9c8e0d74b3977\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:50:02.065Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7017112942517350907 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was deleted by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567358Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.746Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567358Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"nethost.h\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"SourceCode\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"SourceCode\\\",\\\"fileSize\\\":2709,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"43b6f3115aa52ad9540bdbe756e1a9b3\\\",\\\"sha256Checksum\\\":\\\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:38:56Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/x-chdr\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-071fc5f2-9af0-594f-8c83-88575846f14e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.746Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"SourceCode\",\"Endpoint\",\"nethost.h\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:38:56Z\",\"text/x-chdr\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"2021-09-16T19:20:29.170Z\",2709,\"code42-exfil-share-datatype\",\"43b6f3115aa52ad9540bdbe756e1a9b3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"SourceCode\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.746Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:38:56Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:19.772Z 804e3b095828 Skyformation - 5124683873500115467 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.077Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567459Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:19.063Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:19.772Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567459Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":450936,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"58a95b2ee03992ee00ce01ec759b00c8\\\",\\\"sha256Checksum\\\":\\\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:19.063Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:19.077Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-675576df-ceb0-5a0d-9bfc-3108c7890515\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:19.772Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"Test42Console-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:19.077Z\",\"application/zip\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"2021-09-16T19:20:29.169Z\",450936,\"code42-exfil-share-datatype\",\"58a95b2ee03992ee00ce01ec759b00c8\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:19.772Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:19.063Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.995Z 804e3b095828 Skyformation - 4477219442250454415 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711995 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.runtimeconfig.json fsize=146 msg=Resource [Resource: file :: Test42Console-8.2.3.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.527Z ext_md5Checksum=3f892e3babc6c74c9637579412fbd0c0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=146 ext_insertionTimestamp=2021-09-16T19:18:39.567426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.522Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.995Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567426Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.runtimeconfig.json\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Uncategorized\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":146,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3f892e3babc6c74c9637579412fbd0c0\\\",\\\"sha256Checksum\\\":\\\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.522Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.527Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/json\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a4735e80-2d88-5e48-8ae4-82cd2dea6439\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.995Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Test42Console-8.2.3.runtimeconfig.json\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.527Z\",\"application/json\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\",\"2021-09-16T19:20:29.172Z\",146,\"code42-exfil-share-datatype\",\"3f892e3babc6c74c9637579412fbd0c0\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Uncategorized\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.995Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.522Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.806Z 804e3b095828 Skyformation - 8403369398149844084 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723806 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.806Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567302Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.806Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567302Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libmscordaccore.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2802552,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"854aa71660522e18506cc263cecea7e2\\\",\\\"sha256Checksum\\\":\\\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-02f5047e-64c3-5227-9027-ce0ddb3f83f9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:23.806Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libmscordaccore.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:31:44Z\",\"application/octet-stream\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"2021-09-16T19:20:29.169Z\",2802552,\"code42-exfil-share-datatype\",\"854aa71660522e18506cc263cecea7e2\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.806Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:31:44Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.999Z 804e3b095828 Skyformation - 8907642681921436779 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711999 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.999Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.646Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567448Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.629Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.999Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567448Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"Test42Console-8.2.3.zip\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Archive\\\",\\\"fileSize\\\":450936,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"58a95b2ee03992ee00ce01ec759b00c8\\\",\\\"sha256Checksum\\\":\\\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.629Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.646Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/zip\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1c5d953b-5212-5c47-8f16-8cdaa3e74600\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.999Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Archive\",\"Endpoint\",\"Test42Console-8.2.3.zip\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.646Z\",\"application/zip\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"2021-09-16T19:20:29.170Z\",450936,\"code42-exfil-share-datatype\",\"58a95b2ee03992ee00ce01ec759b00c8\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Archive\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.999Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.629Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T20:50:02.626Z 804e3b095828 Skyformation - 7056838657966092182 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 dproc=file events dtz=default-tenant end=1631825402626 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:50:02.626Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:50:01.081Z ext_md5Checksum=0e3e512e4db31fdca7839138ea07c3cd ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658062 ext_insertionTimestamp=2021-09-16T20:51:13.592006Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T20:50:02.626Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T20:51:13.592006Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658062,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"0e3e512e4db31fdca7839138ea07c3cd\\\",\\\"sha256Checksum\\\":\\\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T20:50:01.081Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61345_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-95ca0967-17bd-5ba1-9638-937d30c72aa1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T20:50:02.626Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T20:50:01.081Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\",\"2021-09-16T20:52:28.713Z\",6658062,\"code42-exfil-share-datatype\",\"0e3e512e4db31fdca7839138ea07c3cd\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T20:50:02.626Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 1247614792973000445 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XPath.XDocument.dll fsize=7680 msg=Resource [Resource: file :: System.Xml.XPath.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XPath.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=82e06f761ac5ea823337cc0ea0d80265 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7680 ext_insertionTimestamp=2021-09-16T19:18:39.567046Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567046Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.XPath.XDocument.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7680,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"82e06f761ac5ea823337cc0ea0d80265\\\",\\\"sha256Checksum\\\":\\\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f6636ef7-9d0d-57a5-b89c-a4a08d818f4a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.XPath.XDocument.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\",\"2021-09-16T19:20:29.169Z\",7680,\"code42-exfil-share-datatype\",\"82e06f761ac5ea823337cc0ea0d80265\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:33:01.185Z 804e3b095828 Skyformation - 4460753087283045225 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 dproc=file events dtz=default-tenant end=1631831581185 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:33:01.185Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:33:00.790Z ext_md5Checksum=7075f5a9476afb66da2971d452418a61 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661049 ext_insertionTimestamp=2021-09-16T22:34:07.862615Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:33:01.185Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:34:07.862615Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661049,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"7075f5a9476afb66da2971d452418a61\\\",\\\"sha256Checksum\\\":\\\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:33:00.790Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61427_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b6618a95-257a-52f5-b542-b6a877095e4e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:33:01.185Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:33:00.790Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\",\"2021-09-16T22:36:29.677Z\",6661049,\"code42-exfil-share-datatype\",\"7075f5a9476afb66da2971d452418a61\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:33:01.185Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7158143674742709094 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567291Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.746Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567291Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libmscordaccore.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":2802552,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"854aa71660522e18506cc263cecea7e2\\\",\\\"sha256Checksum\\\":\\\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\\\",\\\"createTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T02:31:44Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8198bde8-0245-5e2a-93fc-59c66fb696e4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.746Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libmscordaccore.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T02:31:44Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"2021-09-16T19:20:29.169Z\",2802552,\"code42-exfil-share-datatype\",\"854aa71660522e18506cc263cecea7e2\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.746Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T02:31:44Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:22:01.088Z 804e3b095828 Skyformation - 4749241203676691576 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 dproc=file events dtz=default-tenant end=1631830921088 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:22:01.088Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:22:00.690Z ext_md5Checksum=8e515a38447fb49fafaa3e7170033bae ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660730 ext_insertionTimestamp=2021-09-16T22:23:15.723548Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:22:01.088Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:23:15.723548Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660730,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"8e515a38447fb49fafaa3e7170033bae\\\",\\\"sha256Checksum\\\":\\\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:22:00.690Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61425_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ad96c6e7-6d2f-5df9-b6e7-d303a7b7f923\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:22:01.088Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:22:00.690Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\",\"2021-09-16T22:24:29.693Z\",6660730,\"code42-exfil-share-datatype\",\"8e515a38447fb49fafaa3e7170033bae\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:22:01.088Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 6416722578617098322 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-alert-service-rest-1.2.2.jar fsize=7019539 msg=Resource [Resource: file :: test42-fixture-code42-alert-service-rest-1.2.2.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-alert-service-rest-1.2.2.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.763Z ext_md5Checksum=df05453fe8178232379ca092d4b68707 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7019539 ext_insertionTimestamp=2021-09-16T19:18:39.567740Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.546Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.006Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567740Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-code42-alert-service-rest-1.2.2.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7019539,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"df05453fe8178232379ca092d4b68707\\\",\\\"sha256Checksum\\\":\\\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:27.546Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:27.763Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61268_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-412a5023-44d2-5525-a625-4f57e9139e3c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.006Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-code42-alert-service-rest-1.2.2.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:27.763Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\",\"2021-09-16T19:20:29.168Z\",7019539,\"code42-exfil-share-datatype\",\"df05453fe8178232379ca092d4b68707\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.006Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:27.546Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 462618621597382345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.137Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567927Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.822Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:12.007Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567927Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11047889,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"c32214157ad2def6a511701ce4e0a562\\\",\\\"sha256Checksum\\\":\\\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:31.822Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.137Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-97403b8e-6aff-5cd3-a460-803204a1cfc9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:12.007Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.137Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"2021-09-16T19:20:29.169Z\",11047889,\"code42-exfil-share-datatype\",\"c32214157ad2def6a511701ce4e0a562\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:12.007Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:31.822Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.076Z 804e3b095828 Skyformation - 58928744233355401 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724076 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.076Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567012Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.076Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567012Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Serialization.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"9f738865f15c0a0be0e20e709bc3d36d\\\",\\\"sha256Checksum\\\":\\\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61266_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-10061513-9751-5b3c-852f-d7df4246f094\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:24.076Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Serialization.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"2021-09-16T19:20:29.167Z\",6656,\"code42-exfil-share-datatype\",\"9f738865f15c0a0be0e20e709bc3d36d\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.076Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:23.805Z 804e3b095828 Skyformation - 3819734286974639827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723805 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.805Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567280Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:23.805Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567280Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"libhostpolicy.dylib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":315420,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"006913ffaf68f205cc00bd03cc0d3761\\\",\\\"sha256Checksum\\\":\\\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:42:18Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-mach-o\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-452a4ed9-abce-5890-a830-82ddb5eaa49b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:23.805Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libhostpolicy.dylib\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:42:18Z\",\"application/octet-stream\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"2021-09-16T19:20:29.168Z\",315420,\"code42-exfil-share-datatype\",\"006913ffaf68f205cc00bd03cc0d3761\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:23.805Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:42:18Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T21:12:02.578Z 804e3b095828 Skyformation - 1251318046287163167 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 dproc=file events dtz=default-tenant end=1631826722578 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:12:02.578Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:12:00.729Z ext_md5Checksum=dbc1cb1cfb3298c65169ae22e5f6f7c3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658700 ext_insertionTimestamp=2021-09-16T21:12:39.659856Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T21:12:02.578Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T21:12:39.659856Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6658700,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"dbc1cb1cfb3298c65169ae22e5f6f7c3\\\",\\\"sha256Checksum\\\":\\\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T21:12:00.729Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61383_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-762de8d1-3a28-5dc3-9b5a-a2f4a034504c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T21:12:02.578Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T21:12:00.729Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\",\"2021-09-16T21:14:30.111Z\",6658700,\"code42-exfil-share-datatype\",\"dbc1cb1cfb3298c65169ae22e5f6f7c3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T21:12:02.578Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:17.834Z 804e3b095828 Skyformation - 7862693865552891800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819717834 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:17.834Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.599Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567729Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.382Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:17.834Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567729Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/fixtures/java/\\\",\\\"fileName\\\":\\\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7657197,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"61898b6da7ebbf3a13be7c76ae49e5f5\\\",\\\"sha256Checksum\\\":\\\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\\\",\\\"createTimestamp\\\":\\\"2021-09-16T19:15:17.382Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:15:17.599Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1f1a61cc-36a1-5d00-b37d-186d933c3aff\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:17.834Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:15:17.599Z\",\"application/java-archive\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"2021-09-16T19:20:29.170Z\",7657197,\"code42-exfil-share-datatype\",\"61898b6da7ebbf3a13be7c76ae49e5f5\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/fixtures/java/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:17.834Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T19:15:17.382Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4235368662387611807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567001Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.744Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.567001Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.Xml.Serialization.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6656,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"9f738865f15c0a0be0e20e709bc3d36d\\\",\\\"sha256Checksum\\\":\\\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61264_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cd2c1f21-0ba5-54a9-a265-cebe9ec4f240\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.744Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Xml.Serialization.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"2021-09-16T19:20:29.157Z\",6656,\"code42-exfil-share-datatype\",\"9f738865f15c0a0be0e20e709bc3d36d\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.744Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:24.064Z 804e3b095828 Skyformation - 4009757464107454250 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724064 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.064Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566878Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23\\\",\\\"eventType\\\":\\\"CREATED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:24.064Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.566878Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\\\",\\\"fileName\\\":\\\"System.ValueTuple.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":5632,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"749df27ac6199cfa7c4b38c78528d3c7\\\",\\\"sha256Checksum\\\":\\\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\\\",\\\"createTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"modifyTimestamp\\\":\\\"2020-01-17T20:41:02Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61265_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-87f5bd74-534f-5452-9443-5780f3c04592\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:24.064Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ValueTuple.dll\",\"KATHYK-OSX (2)\",\"localhost\",\"2020-01-17T20:41:02Z\",\"application/x-msdownload\",\"CREATED\",\"162.222.47.183\",\"kathy.kane\",\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"2021-09-16T19:20:29.169Z\",5632,\"code42-exfil-share-datatype\",\"749df27ac6199cfa7c4b38c78528d3c7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:24.064Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-01-17T20:41:02Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-14468291-feda-589f-aff6-c26b375c9a21\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.159Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:17:02.424Z 804e3b095828 Skyformation - 1426281696218831775 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 dproc=file events dtz=default-tenant end=1631830622424 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:17:02.424Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:17:01.080Z ext_md5Checksum=45271570c0b4116a1346bc72d738bdb7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660585 ext_insertionTimestamp=2021-09-16T22:18:10.576136Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:17:02.424Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:18:10.576136Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6660585,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"45271570c0b4116a1346bc72d738bdb7\\\",\\\"sha256Checksum\\\":\\\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:17:01.080Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61425_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4d8f5eeb-ef31-559e-bd07-4110d914aed6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:17:02.424Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:17:01.080Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\",\"2021-09-16T22:18:30.436Z\",6660585,\"code42-exfil-share-datatype\",\"45271570c0b4116a1346bc72d738bdb7\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:17:02.424Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 7344986800471780939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.617Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568132Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.538Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:15:11.997Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:18:39.568132Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/test42/\\\",\\\"fileName\\\":\\\"test42-console-8.2.3.jar\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2573374,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"aa7ef1099a4cd7eb288430e0f8621b0c\\\",\\\"sha256Checksum\\\":\\\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\\\",\\\"createTimestamp\\\":\\\"2021-09-16T14:29:32.538Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T14:29:32.617Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/zip\\\",\\\"mimeTypeByExtension\\\":\\\"application/java-archive\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61267_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-12273ce2-c1f1-56d6-940c-1caa8cc3def0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:15:11.997Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"test42-console-8.2.3.jar\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T14:29:32.617Z\",\"application/java-archive\",\"DELETED\",\"162.222.47.183\",\"kathy.kane\",\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"2021-09-16T19:20:29.169Z\",2573374,\"code42-exfil-share-datatype\",\"aa7ef1099a4cd7eb288430e0f8621b0c\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/test42/\",\"Executable\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:15:11.997Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2021-09-16T14:29:32.538Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T19:45:02.992Z 804e3b095828 Skyformation - 7407412671789166693 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 dproc=file events dtz=default-tenant end=1631821502992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:45:02.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:45:00.674Z ext_md5Checksum=fdd100bc2a43a9756c77a0f9bc9a6bb1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656177 ext_insertionTimestamp=2021-09-16T19:46:24.888007Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T19:45:02.992Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T19:46:24.888007Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6656177,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"fdd100bc2a43a9756c77a0f9bc9a6bb1\\\",\\\"sha256Checksum\\\":\\\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T19:45:00.674Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"kathy.kane@c42se.com\",\"type\":\"email\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61335_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-031676c5-8fde-5d2f-a294-dcc4907a8027\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T19:45:02.992Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T19:45:00.674Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\",\"2021-09-16T19:46:29.180Z\",6656177,\"code42-exfil-share-datatype\",\"fdd100bc2a43a9756c77a0f9bc9a6bb1\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T19:45:02.992Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages.\",\"type\":\"warning\",\"module\":\"Exabeam\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:46:07.457Z\",\"uuid\":\"194360e4-b8f2-44b6-9386-2d9df7a3a549\"}]", "short_description": "Exabeam_email", "omittedObservables": [], "archivedObservables": [{"key": "2dde50ee-8aa4-4e5b-83b7-465c8f586c94", "value": "kathy.kane@c42se.com", "indicators": [], "type": "email", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "eb1b756a", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "email", "value": "kathy.kane@c42se.com"}, "type": "warning", "action_id": "194360e4-b8f2-44b6-9386-2d9df7a3a549", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "kathy.kane@c42se.com", "id": "eb1b756a", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:45:02.992Z 804e3b095828 Skyformation - 7407412671789166693 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 dproc=file events dtz=default-tenant end=1631821502992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:45:02.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:45:00.674Z ext_md5Checksum=fdd100bc2a43a9756c77a0f9bc9a6bb1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656177 ext_insertionTimestamp=2021-09-16T19:46:24.888007Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:45:02.992Z\",\"insertionTimestamp\":\"2021-09-16T19:46:24.888007Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656177,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fdd100bc2a43a9756c77a0f9bc9a6bb1\",\"sha256Checksum\":\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:45:00.674Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:45:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-031676c5-8fde-5d2f-a294-dcc4907a8027", "observed_start_time": "2021-09-16T19:45:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:45:02.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:45:00.674Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b", "2021-09-16T19:46:29.180Z", 6656177, "code42-exfil-share-datatype", "fdd100bc2a43a9756c77a0f9bc9a6bb1", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:45:02.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 7344986800471780939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.617Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568132Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.538Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568132Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T14:29:32.538Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.617Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12273ce2-c1f1-56d6-940c-1caa8cc3def0", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.617Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.169Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.538Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:17:02.424Z 804e3b095828 Skyformation - 1426281696218831775 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 dproc=file events dtz=default-tenant end=1631830622424 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:17:02.424Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:17:01.080Z ext_md5Checksum=45271570c0b4116a1346bc72d738bdb7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660585 ext_insertionTimestamp=2021-09-16T22:18:10.576136Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:17:02.424Z\",\"insertionTimestamp\":\"2021-09-16T22:18:10.576136Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660585,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"45271570c0b4116a1346bc72d738bdb7\",\"sha256Checksum\":\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:17:01.080Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d8f5eeb-ef31-559e-bd07-4110d914aed6", "observed_start_time": "2021-09-16T22:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:17:02.424Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:17:01.080Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf", "2021-09-16T22:18:30.436Z", 6660585, "code42-exfil-share-datatype", "45271570c0b4116a1346bc72d738bdb7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:17:02.424Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-14468291-feda-589f-aff6-c26b375c9a21", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "1430cdb0-e2b9-48e8-b049-c6d851398a76", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.064Z 804e3b095828 Skyformation - 4009757464107454250 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724064 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.064Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566878Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.064Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566878Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87f5bd74-534f-5452-9443-5780f3c04592", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.064Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.064Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4235368662387611807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567001Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567001Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd2c1f21-0ba5-54a9-a265-cebe9ec4f240", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.157Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:17.834Z 804e3b095828 Skyformation - 7862693865552891800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819717834 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:17.834Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.599Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567729Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.382Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:17.834Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567729Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T19:15:17.382Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.599Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:17Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f1a61cc-36a1-5d00-b37d-186d933c3aff", "observed_start_time": "2021-09-16T19:15:17Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:17.834Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.599Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.170Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:17.834Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.382Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:12:02.578Z 804e3b095828 Skyformation - 1251318046287163167 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 dproc=file events dtz=default-tenant end=1631826722578 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:12:02.578Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:12:00.729Z ext_md5Checksum=dbc1cb1cfb3298c65169ae22e5f6f7c3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658700 ext_insertionTimestamp=2021-09-16T21:12:39.659856Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:12:02.578Z\",\"insertionTimestamp\":\"2021-09-16T21:12:39.659856Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658700,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dbc1cb1cfb3298c65169ae22e5f6f7c3\",\"sha256Checksum\":\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:12:00.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:12:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61383_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-762de8d1-3a28-5dc3-9b5a-a2f4a034504c", "observed_start_time": "2021-09-16T21:12:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:12:02.578Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:12:00.729Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86", "2021-09-16T21:14:30.111Z", 6658700, "code42-exfil-share-datatype", "dbc1cb1cfb3298c65169ae22e5f6f7c3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:12:02.578Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.805Z 804e3b095828 Skyformation - 3819734286974639827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723805 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.805Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567280Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.805Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567280Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-452a4ed9-abce-5890-a830-82ddb5eaa49b", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.805Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.168Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.805Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.076Z 804e3b095828 Skyformation - 58928744233355401 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724076 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.076Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567012Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.076Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567012Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-10061513-9751-5b3c-852f-d7df4246f094", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.076Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.167Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.076Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 462618621597382345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.137Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567927Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.822Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567927Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T14:29:31.822Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.137Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-97403b8e-6aff-5cd3-a460-803204a1cfc9", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.137Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.169Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.822Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 6416722578617098322 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-alert-service-rest-1.2.2.jar fsize=7019539 msg=Resource [Resource: file :: test42-fixture-code42-alert-service-rest-1.2.2.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-alert-service-rest-1.2.2.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.763Z ext_md5Checksum=df05453fe8178232379ca092d4b68707 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7019539 ext_insertionTimestamp=2021-09-16T19:18:39.567740Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.546Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567740Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-alert-service-rest-1.2.2.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7019539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"df05453fe8178232379ca092d4b68707\",\"sha256Checksum\":\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\",\"createTimestamp\":\"2021-09-16T14:29:27.546Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.763Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-412a5023-44d2-5525-a625-4f57e9139e3c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-alert-service-rest-1.2.2.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.763Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab", "2021-09-16T19:20:29.168Z", 7019539, "code42-exfil-share-datatype", "df05453fe8178232379ca092d4b68707", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.546Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:22:01.088Z 804e3b095828 Skyformation - 4749241203676691576 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 dproc=file events dtz=default-tenant end=1631830921088 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:22:01.088Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:22:00.690Z ext_md5Checksum=8e515a38447fb49fafaa3e7170033bae ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660730 ext_insertionTimestamp=2021-09-16T22:23:15.723548Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:22:01.088Z\",\"insertionTimestamp\":\"2021-09-16T22:23:15.723548Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660730,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8e515a38447fb49fafaa3e7170033bae\",\"sha256Checksum\":\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:22:00.690Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:22:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ad96c6e7-6d2f-5df9-b6e7-d303a7b7f923", "observed_start_time": "2021-09-16T22:22:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a7fd941d-edea-4706-9699-2a2f79ca15d2", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:22:01.088Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:22:00.690Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f", "2021-09-16T22:24:29.693Z", 6660730, "code42-exfil-share-datatype", "8e515a38447fb49fafaa3e7170033bae", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:22:01.088Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7158143674742709094 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567291Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567291Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8198bde8-0245-5e2a-93fc-59c66fb696e4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:33:01.185Z 804e3b095828 Skyformation - 4460753087283045225 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 dproc=file events dtz=default-tenant end=1631831581185 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:33:01.185Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:33:00.790Z ext_md5Checksum=7075f5a9476afb66da2971d452418a61 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661049 ext_insertionTimestamp=2021-09-16T22:34:07.862615Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:33:01.185Z\",\"insertionTimestamp\":\"2021-09-16T22:34:07.862615Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661049,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7075f5a9476afb66da2971d452418a61\",\"sha256Checksum\":\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:33:00.790Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b6618a95-257a-52f5-b542-b6a877095e4e", "observed_start_time": "2021-09-16T22:33:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "aa545d84-3600-423b-b4c0-36ff943bb68d", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:33:01.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:33:00.790Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7", "2021-09-16T22:36:29.677Z", 6661049, "code42-exfil-share-datatype", "7075f5a9476afb66da2971d452418a61", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:33:01.185Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 1247614792973000445 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XPath.XDocument.dll fsize=7680 msg=Resource [Resource: file :: System.Xml.XPath.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XPath.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=82e06f761ac5ea823337cc0ea0d80265 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7680 ext_insertionTimestamp=2021-09-16T19:18:39.567046Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567046Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XPath.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7680,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"82e06f761ac5ea823337cc0ea0d80265\",\"sha256Checksum\":\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f6636ef7-9d0d-57a5-b89c-a4a08d818f4a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XPath.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec", "2021-09-16T19:20:29.169Z", 7680, "code42-exfil-share-datatype", "82e06f761ac5ea823337cc0ea0d80265", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:50:02.626Z 804e3b095828 Skyformation - 7056838657966092182 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 dproc=file events dtz=default-tenant end=1631825402626 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:50:02.626Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:50:01.081Z ext_md5Checksum=0e3e512e4db31fdca7839138ea07c3cd ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658062 ext_insertionTimestamp=2021-09-16T20:51:13.592006Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:50:02.626Z\",\"insertionTimestamp\":\"2021-09-16T20:51:13.592006Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658062,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0e3e512e4db31fdca7839138ea07c3cd\",\"sha256Checksum\":\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:50:01.081Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-95ca0967-17bd-5ba1-9638-937d30c72aa1", "observed_start_time": "2021-09-16T20:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:50:02.626Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:50:01.081Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723", "2021-09-16T20:52:28.713Z", 6658062, "code42-exfil-share-datatype", "0e3e512e4db31fdca7839138ea07c3cd", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:50:02.626Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.999Z 804e3b095828 Skyformation - 8907642681921436779 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711999 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.999Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.646Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567448Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.629Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.999Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567448Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T14:29:32.629Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.646Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c5d953b-5212-5c47-8f16-8cdaa3e74600", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.999Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.646Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.170Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.999Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.629Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.806Z 804e3b095828 Skyformation - 8403369398149844084 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723806 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.806Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567302Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.806Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567302Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02f5047e-64c3-5227-9027-ce0ddb3f83f9", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.806Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.806Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.995Z 804e3b095828 Skyformation - 4477219442250454415 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711995 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.runtimeconfig.json fsize=146 msg=Resource [Resource: file :: Test42Console-8.2.3.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.527Z ext_md5Checksum=3f892e3babc6c74c9637579412fbd0c0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=146 ext_insertionTimestamp=2021-09-16T19:18:39.567426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.522Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.995Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":146,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3f892e3babc6c74c9637579412fbd0c0\",\"sha256Checksum\":\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\",\"createTimestamp\":\"2021-09-16T14:29:32.522Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a4735e80-2d88-5e48-8ae4-82cd2dea6439", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console-8.2.3.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.527Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2", "2021-09-16T19:20:29.172Z", 146, "code42-exfil-share-datatype", "3f892e3babc6c74c9637579412fbd0c0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.522Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.772Z 804e3b095828 Skyformation - 5124683873500115467 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.077Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567459Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:19.063Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567459Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T19:15:19.063Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.077Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-675576df-ceb0-5a0d-9bfc-3108c7890515", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.077Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.169Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:19.063Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7017112942517350907 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was deleted by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567358Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567358Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-071fc5f2-9af0-594f-8c83-88575846f14e", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "DELETED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.170Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:50:02.065Z 804e3b095828 Skyformation - 8498846088421542075 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 dproc=file events dtz=default-tenant end=1631821802065 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:50:02.065Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:50:00.154Z ext_md5Checksum=419c9c07c999bc2c71e9c8e0d74b3977 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656322 ext_insertionTimestamp=2021-09-16T19:51:24.240399Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:50:02.065Z\",\"insertionTimestamp\":\"2021-09-16T19:51:24.240399Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656322,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"419c9c07c999bc2c71e9c8e0d74b3977\",\"sha256Checksum\":\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:50:00.154Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b860517a-d359-5618-b9da-cbb484cb38e6", "observed_start_time": "2021-09-16T19:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:50:02.065Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:50:00.154Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb", "2021-09-16T19:52:28.142Z", 6656322, "code42-exfil-share-datatype", "419c9c07c999bc2c71e9c8e0d74b3977", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:50:02.065Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:23:01.314Z 804e3b095828 Skyformation - 930370924908933384 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 dproc=file events dtz=default-tenant end=1631820181314 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:23:01.314Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:23:00.067Z ext_md5Checksum=8ce945a5034d673a8c3df84df944e9e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655539 ext_insertionTimestamp=2021-09-16T19:24:05.872543Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:23:01.314Z\",\"insertionTimestamp\":\"2021-09-16T19:24:05.872543Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8ce945a5034d673a8c3df84df944e9e2\",\"sha256Checksum\":\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:23:00.067Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61298_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edf54539-1473-5d66-97c1-f95cf9899b35", "observed_start_time": "2021-09-16T19:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:23:01.314Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:23:00.067Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f", "2021-09-16T19:24:29.929Z", 6655539, "code42-exfil-share-datatype", "8ce945a5034d673a8c3df84df944e9e2", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:23:01.314Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:27.623Z 804e3b095828 Skyformation - 3964934661273873169 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819727623 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was created by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:27.623Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:27.409Z ext_md5Checksum=232b292616f09cef3e0e8ba9805a2963 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568099Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:27.408Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:27.623Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568099Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"232b292616f09cef3e0e8ba9805a2963\",\"sha256Checksum\":\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\",\"createTimestamp\":\"2021-09-16T19:15:27.408Z\",\"modifyTimestamp\":\"2021-09-16T19:15:27.409Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e09b581-9e7d-5195-8a38-88102b9c437d", "observed_start_time": "2021-09-16T19:15:27Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:27.623Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:27.409Z", "application/x-sh", "CREATED", "162.222.47.183", "kathy.kane", "88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "232b292616f09cef3e0e8ba9805a2963", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:27.623Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:27.408Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:01:00.819Z 804e3b095828 Skyformation - 4261722877678484633 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 dproc=file events dtz=default-tenant end=1631826060819 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:01:00.819Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:01:00.560Z ext_md5Checksum=da192fa26ed85e10ce7bb718251110ad ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658381 ext_insertionTimestamp=2021-09-16T21:01:47.308430Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:01:00.819Z\",\"insertionTimestamp\":\"2021-09-16T21:01:47.308430Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658381,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"da192fa26ed85e10ce7bb718251110ad\",\"sha256Checksum\":\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:01:00.560Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:01:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7711c718-0e21-5675-bb34-071d60939878", "observed_start_time": "2021-09-16T21:01:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:01:00.819Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T21:01:00.560Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53", "2021-09-16T21:02:28.778Z", 6658381, "code42-exfil-share-datatype", "da192fa26ed85e10ce7bb718251110ad", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:01:00.819Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 6610991199308768678 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567179Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567179Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-85a1f9cb-fdf2-5bd3-8178-3d11c1f5cec4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.168Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 2798890335140955527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567023Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567023Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ede94b18-04d2-554a-90e6-ab609600fa70", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.078Z 804e3b095828 Skyformation - 7299018334312800224 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724078 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.078Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567035Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.078Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567035Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f91637db-83e4-5758-b551-7c227aba1a5d", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.078Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.168Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.078Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:28:01.712Z 804e3b095828 Skyformation - 891655873053505721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 dproc=file events dtz=default-tenant end=1631827681712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:28:01.712Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:28:00.665Z ext_md5Checksum=043ea115b4517db2f0aa7c5853f7385b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659164 ext_insertionTimestamp=2021-09-16T21:28:58.572803Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:28:01.712Z\",\"insertionTimestamp\":\"2021-09-16T21:28:58.572803Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659164,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"043ea115b4517db2f0aa7c5853f7385b\",\"sha256Checksum\":\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:28:00.665Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:28:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d5a79131-010e-5b41-9357-c3586091d05e", "observed_start_time": "2021-09-16T21:28:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:28:01.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:28:00.665Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4", "2021-09-16T21:30:29.019Z", 6659164, "code42-exfil-share-datatype", "043ea115b4517db2f0aa7c5853f7385b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:28:01.712Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.033Z 804e3b095828 Skyformation - 5428778102527363807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712033 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.033Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.287Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567537Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.033Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567537Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T14:29:26.269Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.287Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-04487d78-acfd-5735-a210-f113f8855f9c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.287Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.169Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.033Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d9f33fa-cc28-5fe5-9975-5003f91369d6", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "b5e047b0-70bf-4cda-9513-e3fb2fffd016", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:06:01.028Z 804e3b095828 Skyformation - 8997259429135136842 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 dproc=file events dtz=default-tenant end=1631829961028 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:06:01.028Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:06:00.773Z ext_md5Checksum=e3826febfa687b19d431037a05e3d695 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660266 ext_insertionTimestamp=2021-09-16T22:06:57.577426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:06:01.028Z\",\"insertionTimestamp\":\"2021-09-16T22:06:57.577426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660266,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e3826febfa687b19d431037a05e3d695\",\"sha256Checksum\":\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:06:00.773Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61424_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0c80d806-8279-587b-8b43-c95ce2fcdd89", "observed_start_time": "2021-09-16T22:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:06:01.028Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:06:00.773Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6", "2021-09-16T22:08:29.515Z", 6660266, "code42-exfil-share-datatype", "e3826febfa687b19d431037a05e3d695", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:06:01.028Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:01:01.612Z 804e3b095828 Skyformation - 5476861324589104236 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 dproc=file events dtz=default-tenant end=1631829661612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:01:01.612Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:01:00.223Z ext_md5Checksum=aa34550e46232e041e8738f575568b63 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660121 ext_insertionTimestamp=2021-09-16T22:01:32.790174Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:01:01.612Z\",\"insertionTimestamp\":\"2021-09-16T22:01:32.790174Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660121,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa34550e46232e041e8738f575568b63\",\"sha256Checksum\":\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:01:00.223Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f05d117-a06c-5922-8649-7708e4d80765", "observed_start_time": "2021-09-16T22:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:01:01.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:01:00.223Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530", "2021-09-16T22:04:30.120Z", 6660121, "code42-exfil-share-datatype", "aa34550e46232e041e8738f575568b63", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:01:01.612Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:39:03.445Z 804e3b095828 Skyformation - 2624752478966021475 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 dproc=file events dtz=default-tenant end=1631821143445 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:39:03.445Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:39:01.028Z ext_md5Checksum=2f0e54e1e35e34e9a4b6c5b586789edf ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656003 ext_insertionTimestamp=2021-09-16T19:40:23.773101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:39:03.445Z\",\"insertionTimestamp\":\"2021-09-16T19:40:23.773101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656003,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2f0e54e1e35e34e9a4b6c5b586789edf\",\"sha256Checksum\":\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:39:01.028Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:39:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d473561a-d486-58d7-9d54-79dca5b2d69e", "observed_start_time": "2021-09-16T19:39:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:39:03.445Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:39:01.028Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534", "2021-09-16T19:40:28.880Z", 6656003, "code42-exfil-share-datatype", "2f0e54e1e35e34e9a4b6c5b586789edf", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:39:03.445Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:55:01.913Z 804e3b095828 Skyformation - 1768128187348227515 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 dproc=file events dtz=default-tenant end=1631829301913 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:55:01.913Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:55:00.543Z ext_md5Checksum=dc00517c1ea40d76a86ac0775630315b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659947 ext_insertionTimestamp=2021-09-16T21:56:06.248063Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:55:01.913Z\",\"insertionTimestamp\":\"2021-09-16T21:56:06.248063Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659947,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dc00517c1ea40d76a86ac0775630315b\",\"sha256Checksum\":\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:55:00.543Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61422_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-15c0c9b0-6bdf-53a1-add0-1f2928d4286d", "observed_start_time": "2021-09-16T21:55:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:55:01.913Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:55:00.543Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37", "2021-09-16T21:58:29.321Z", 6659947, "code42-exfil-share-datatype", "dc00517c1ea40d76a86ac0775630315b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:55:01.913Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:17:01.240Z 804e3b095828 Skyformation - 6379287197034431494 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 dproc=file events dtz=default-tenant end=1631827021240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:17:01.240Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:17:00.229Z ext_md5Checksum=37d786d2ffe3997a1a4913f817e1163c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658845 ext_insertionTimestamp=2021-09-16T21:18:05.961899Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:17:01.240Z\",\"insertionTimestamp\":\"2021-09-16T21:18:05.961899Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658845,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"37d786d2ffe3997a1a4913f817e1163c\",\"sha256Checksum\":\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:17:00.229Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:17:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61401_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e4fc7d1-49ea-5c9b-bca5-6f1b79386f29", "observed_start_time": "2021-09-16T21:17:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:17:01.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:17:00.229Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817", "2021-09-16T21:18:29.165Z", 6658845, "code42-exfil-share-datatype", "37d786d2ffe3997a1a4913f817e1163c", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:17:01.240Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 7619218699635329950 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567201Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567201Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66849bfc-3193-508e-8ee8-6bb759846345", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.167Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:06:01.487Z 804e3b095828 Skyformation - 6710622959611147958 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 dproc=file events dtz=default-tenant end=1631826361487 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:06:01.487Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:06:00.163Z ext_md5Checksum=60bf5e7434748875904b3d240e9933b7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658526 ext_insertionTimestamp=2021-09-16T21:07:13.335410Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:06:01.487Z\",\"insertionTimestamp\":\"2021-09-16T21:07:13.335410Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658526,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"60bf5e7434748875904b3d240e9933b7\",\"sha256Checksum\":\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:06:00.163Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61346_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-367d899b-650f-51b4-a6a1-0534a3961b75", "observed_start_time": "2021-09-16T21:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:06:01.487Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:06:00.163Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba", "2021-09-16T21:08:28.978Z", 6658526, "code42-exfil-share-datatype", "60bf5e7434748875904b3d240e9933b7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:06:01.487Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:34:01.736Z 804e3b095828 Skyformation - 2573052291884632109 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 dproc=file events dtz=default-tenant end=1631820841736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:34:01.736Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:34:00.437Z ext_md5Checksum=5082d25b519827369f4026d1de2ee6ca ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655858 ext_insertionTimestamp=2021-09-16T19:34:57.134540Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:34:01.736Z\",\"insertionTimestamp\":\"2021-09-16T19:34:57.134540Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655858,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5082d25b519827369f4026d1de2ee6ca\",\"sha256Checksum\":\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:34:00.437Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d0c40d9-1a17-5018-b60d-c3342b98c94c", "observed_start_time": "2021-09-16T19:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:34:01.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:34:00.437Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b", "2021-09-16T19:36:28.977Z", 6655858, "code42-exfil-share-datatype", "5082d25b519827369f4026d1de2ee6ca", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:34:01.736Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 2397866919275056029 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Web.HttpUtility.dll fsize=36864 msg=Resource [Resource: file :: System.Web.HttpUtility.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Web.HttpUtility.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=306b1de856625f7499d783f7b4b79f38 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36864 ext_insertionTimestamp=2021-09-16T19:18:39.566889Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566889Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Web.HttpUtility.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36864,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"306b1de856625f7499d783f7b4b79f38\",\"sha256Checksum\":\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-811d4e91-e46b-5844-9af9-7c850abf3da3", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Web.HttpUtility.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8", "2021-09-16T19:20:29.168Z", 36864, "code42-exfil-share-datatype", "306b1de856625f7499d783f7b4b79f38", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 58574569231396443 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.487Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567858Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.287Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567858Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T14:29:27.287Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.487Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2080f524-24c7-5036-968e-df2b85f1b54f", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.487Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.170Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.287Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.747Z 804e3b095828 Skyformation - 6719904774936520368 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711747 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.747Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567380Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.747Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567380Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c9d9285-5d31-550b-a4b2-9fd3d3b8a388", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.747Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.171Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.747Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.996Z 804e3b095828 Skyformation - 3176029036093175203 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711996 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-runtime-3.1.2-osx-x64.tar.gz fsize=29915862 msg=Resource [Resource: file :: dotnet-runtime-3.1.2-osx-x64.tar.gz] was deleted by [kathy.kane@c42se.com] proto=gz requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.996Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-runtime-3.1.2-osx-x64.tar.gz ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/gzip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:36.132Z ext_md5Checksum=f83a55de32ce1a89fb5b123257830cba ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=29915862 ext_insertionTimestamp=2021-09-16T19:18:39.567560Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:35.234Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/gzip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.996Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567560Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-runtime-3.1.2-osx-x64.tar.gz\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":29915862,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f83a55de32ce1a89fb5b123257830cba\",\"sha256Checksum\":\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\",\"createTimestamp\":\"2021-09-16T14:29:35.234Z\",\"modifyTimestamp\":\"2021-09-16T14:29:36.132Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/gzip\",\"mimeTypeByExtension\":\"application/gzip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2b217573-785b-532d-860e-9598234213e8", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.996Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-runtime-3.1.2-osx-x64.tar.gz", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:36.132Z", "application/gzip", "DELETED", "162.222.47.183", "kathy.kane", "782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855", "2021-09-16T19:20:29.167Z", 29915862, "code42-exfil-share-datatype", "f83a55de32ce1a89fb5b123257830cba", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.996Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:35.234Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 3843752372852811386 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.005Z ext_md5Checksum=2d2bf0d9382070b7cca29a72b3936e5d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.005Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2d2bf0d9382070b7cca29a72b3936e5d\",\"sha256Checksum\":\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\",\"createTimestamp\":\"2021-09-16T14:29:41.005Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.005Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bf1190c9-a884-5c2a-bb2c-2795c5d957d1", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.005Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "2d2bf0d9382070b7cca29a72b3936e5d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.005Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 2213325285618451753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.446Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568020Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568020Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T14:29:31.221Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.446Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd8f9d6d-f964-5596-b969-1adc4cbab814", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.446Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.167Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:34:01.973Z 804e3b095828 Skyformation - 2524988023863085362 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 dproc=file events dtz=default-tenant end=1631824441973 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:34:01.973Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:34:00.215Z ext_md5Checksum=ff960d04995e3896e1e5f9b9280fa4ab ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657598 ext_insertionTimestamp=2021-09-16T20:34:41.194795Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:34:01.973Z\",\"insertionTimestamp\":\"2021-09-16T20:34:41.194795Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657598,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ff960d04995e3896e1e5f9b9280fa4ab\",\"sha256Checksum\":\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:34:00.215Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cab0f6ad-bf33-5b50-a385-5e8c1204635d", "observed_start_time": "2021-09-16T20:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:34:01.973Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:34:00.215Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f", "2021-09-16T20:36:28.548Z", 6657598, "code42-exfil-share-datatype", "ff960d04995e3896e1e5f9b9280fa4ab", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:34:01.973Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 9109378012419032857 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.dll fsize=54784 msg=Resource [Resource: file :: Test42Console-8.2.3.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.508Z ext_md5Checksum=d69ac3af560428f6948dc20b997161ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=54784 ext_insertionTimestamp=2021-09-16T19:18:39.567403Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.502Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567403Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":54784,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d69ac3af560428f6948dc20b997161ee\",\"sha256Checksum\":\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\",\"createTimestamp\":\"2021-09-16T14:29:32.502Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.508Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-71cfb374-ab6b-5662-ab30-1b3fb949df3c", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Test42Console-8.2.3.dll", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.508Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43", "2021-09-16T19:20:29.167Z", 54784, "code42-exfil-share-datatype", "d69ac3af560428f6948dc20b997161ee", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.502Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.818Z 804e3b095828 Skyformation - 1887769325684873078 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723818 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=mscorlib.dll fsize=57216 msg=Resource [Resource: file :: mscorlib.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.818Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=mscorlib.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T18:07:34Z ext_md5Checksum=9720675697af7ba93cd049a9b7f757ef ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=57216 ext_insertionTimestamp=2021-09-16T19:18:39.567347Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T18:07:34Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.818Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567347Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"mscorlib.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":57216,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9720675697af7ba93cd049a9b7f757ef\",\"sha256Checksum\":\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\",\"createTimestamp\":\"2020-01-17T18:07:34Z\",\"modifyTimestamp\":\"2020-01-17T18:07:34Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccf85660-82e2-5086-a281-3206e1b2858e", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.818Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorlib.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T18:07:34Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c", "2021-09-16T19:20:29.167Z", 57216, "code42-exfil-share-datatype", "9720675697af7ba93cd049a9b7f757ef", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.818Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T18:07:34Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4770681899815013348 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566957Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566957Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e5d743d0-0232-5b8e-b0cb-1edd0490dd9f", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.170Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 4590047523480219385 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.338Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567627Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.318Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567627Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T14:29:32.318Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.338Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e9f4477-1d64-576f-b3a8-241c6015add6", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.338Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.166Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.318Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:33:01.545Z 804e3b095828 Skyformation - 7073850292788359537 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 dproc=file events dtz=default-tenant end=1631827981545 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:33:01.545Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:33:00.213Z ext_md5Checksum=20d1f8a835b0834eb7b5d80569deed62 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659309 ext_insertionTimestamp=2021-09-16T21:34:24.032240Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:33:01.545Z\",\"insertionTimestamp\":\"2021-09-16T21:34:24.032240Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659309,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"20d1f8a835b0834eb7b5d80569deed62\",\"sha256Checksum\":\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:33:00.213Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5369c67b-c8ed-5b7f-81d6-ec60324367ab", "observed_start_time": "2021-09-16T21:33:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:33:01.545Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:33:00.213Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c", "2021-09-16T21:34:28.994Z", 6659309, "code42-exfil-share-datatype", "20d1f8a835b0834eb7b5d80569deed62", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:33:01.545Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 146293528143524055 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566867Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566867Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1abdcd59-cf9e-5f35-bf4b-d2994605bd55", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.755Z 804e3b095828 Skyformation - 1836552121230087232 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719755 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.755Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.755Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567661Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.736Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.755Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567661Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T19:15:18.736Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.755Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-28195e6b-c15a-559b-a699-d2f6641591b7", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.755Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.755Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.157Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.755Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.736Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:44:01.388Z 804e3b095828 Skyformation - 1266689014865399645 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 dproc=file events dtz=default-tenant end=1631832241388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:44:01.388Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:44:00.938Z ext_md5Checksum=b40c0a5ea13afe384316a54705f0d1b4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661368 ext_insertionTimestamp=2021-09-16T22:44:58.435091Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:44:01.388Z\",\"insertionTimestamp\":\"2021-09-16T22:44:58.435091Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661368,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b40c0a5ea13afe384316a54705f0d1b4\",\"sha256Checksum\":\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:44:00.938Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:44:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d639f22b-9cff-59ed-9021-3ad255581d0e", "observed_start_time": "2021-09-16T22:44:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a996d996-7445-4022-a863-c1845dab62f5", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:44:01.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:44:00.938Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d", "2021-09-16T22:46:30.421Z", 6661368, "code42-exfil-share-datatype", "b40c0a5ea13afe384316a54705f0d1b4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:44:01.388Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.770Z 804e3b095828 Skyformation - 6071486703917102800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718770 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.770Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.840Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567818Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.648Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.770Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567818Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T19:15:17.648Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.840Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08118857-1290-5488-af20-857c21d6bdd1", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.770Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.840Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.169Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.770Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.648Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.079Z 804e3b095828 Skyformation - 5370534398414402294 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724079 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XmlDocument.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.XmlDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.079Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=447d8892131a4e11ea225e3b1ffe34b1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.079Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"447d8892131a4e11ea225e3b1ffe34b1\",\"sha256Checksum\":\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f80475c4-c69b-58e5-a9ed-33af9056766f", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.079Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe", "2021-09-16T19:20:29.171Z", 6656, "code42-exfil-share-datatype", "447d8892131a4e11ea225e3b1ffe34b1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.079Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:56:02.173Z 804e3b095828 Skyformation - 7188922889508140062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 dproc=file events dtz=default-tenant end=1631822162173 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:56:02.173Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:56:00.923Z ext_md5Checksum=fc552e5a9046ea13a5d6106e2b2f9b76 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656496 ext_insertionTimestamp=2021-09-16T19:56:39.322640Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:56:02.173Z\",\"insertionTimestamp\":\"2021-09-16T19:56:39.322640Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656496,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fc552e5a9046ea13a5d6106e2b2f9b76\",\"sha256Checksum\":\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:56:00.923Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:56:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5b13a540-ce0b-5885-ac3e-33c0b65dba06", "observed_start_time": "2021-09-16T19:56:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:56:02.173Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:56:00.923Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4", "2021-09-16T19:58:28.306Z", 6656496, "code42-exfil-share-datatype", "fc552e5a9046ea13a5d6106e2b2f9b76", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:56:02.173Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.074Z 804e3b095828 Skyformation - 8477448688941154930 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724074 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.074Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566968Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.074Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566968Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e28b082b-fc8d-5d89-9b34-4381e18289c2", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.074Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.074Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:11:00.794Z 804e3b095828 Skyformation - 2404635122291901530 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 dproc=file events dtz=default-tenant end=1631830260794 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:11:00.794Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:11:00.379Z ext_md5Checksum=951245aef74b1e8b33f4500e499e686a ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660411 ext_insertionTimestamp=2021-09-16T22:12:24.819165Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:11:00.794Z\",\"insertionTimestamp\":\"2021-09-16T22:12:24.819165Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660411,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"951245aef74b1e8b33f4500e499e686a\",\"sha256Checksum\":\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:11:00.379Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:11:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cfed350e-a44b-53ce-b882-dc197c8f62b6", "observed_start_time": "2021-09-16T22:11:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:11:00.794Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:11:00.379Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da", "2021-09-16T22:12:29.328Z", 6660411, "code42-exfil-share-datatype", "951245aef74b1e8b33f4500e499e686a", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:11:00.794Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 8233299408064618554 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567268Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567268Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61262_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b22fa99e-4961-5cd7-94d9-94743bc7cc5a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.158Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:28:03.165Z 804e3b095828 Skyformation - 4940785117334694295 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 dproc=file events dtz=default-tenant end=1631824083165 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:28:03.165Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:28:00.813Z ext_md5Checksum=d4b2584cc8639725ef1a77f10489af6e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657424 ext_insertionTimestamp=2021-09-16T20:29:14.653406Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:28:03.165Z\",\"insertionTimestamp\":\"2021-09-16T20:29:14.653406Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657424,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d4b2584cc8639725ef1a77f10489af6e\",\"sha256Checksum\":\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:28:00.813Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:28:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91bf6af3-6d39-5a96-81d4-c4908b781523", "observed_start_time": "2021-09-16T20:28:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:28:03.165Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:28:00.813Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4", "2021-09-16T20:30:28.534Z", 6657424, "code42-exfil-share-datatype", "d4b2584cc8639725ef1a77f10489af6e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:28:03.165Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 8309860196715459145 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.239Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567649Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.212Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567649Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T14:29:32.212Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.239Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e24644f-f291-5bd2-bc35-86a9b5d0b7a3", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.239Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.169Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.212Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:55:02.138Z 804e3b095828 Skyformation - 729364201181628912 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 dproc=file events dtz=default-tenant end=1631825702138 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:55:02.138Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:55:00.753Z ext_md5Checksum=63d8ad93f3a8ccf161c446bd00ebe0ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658207 ext_insertionTimestamp=2021-09-16T20:56:21.765014Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:55:02.138Z\",\"insertionTimestamp\":\"2021-09-16T20:56:21.765014Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"63d8ad93f3a8ccf161c446bd00ebe0ee\",\"sha256Checksum\":\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:55:00.753Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-288534d9-fd19-501f-a62b-9ccd21200713", "observed_start_time": "2021-09-16T20:55:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:55:02.138Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:55:00.753Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e", "2021-09-16T20:58:28.798Z", 6658207, "code42-exfil-share-datatype", "63d8ad93f3a8ccf161c446bd00ebe0ee", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:55:02.138Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 8983082904017481833 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:28.729Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567951Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.871Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567951Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T14:29:27.871Z\",\"modifyTimestamp\":\"2021-09-16T14:29:28.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea36b47c-6754-5ecf-931a-a6132c50aa22", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:28.729Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.170Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.871Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:12:03.215Z 804e3b095828 Skyformation - 6886991114765220858 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 dproc=file events dtz=default-tenant end=1631823123215 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:12:03.215Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:12:00.952Z ext_md5Checksum=326e1e96ac5b97f92334ae3ed0af00a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656960 ext_insertionTimestamp=2021-09-16T20:12:57.237021Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:12:03.215Z\",\"insertionTimestamp\":\"2021-09-16T20:12:57.237021Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656960,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"326e1e96ac5b97f92334ae3ed0af00a9\",\"sha256Checksum\":\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:12:00.952Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:12:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4187d125-6fed-5e14-872a-e781ac9c07c7", "observed_start_time": "2021-09-16T20:12:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:12:03.215Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:12:00.952Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc", "2021-09-16T20:14:29.101Z", 6656960, "code42-exfil-share-datatype", "326e1e96ac5b97f92334ae3ed0af00a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:12:03.215Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 3519140269928418882 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.847Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567807Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.631Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567807Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T14:29:30.631Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.847Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c15684c1-40f1-5e8d-a549-ec971abac766", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.847Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.168Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.631Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:39:02.995Z 804e3b095828 Skyformation - 2457476870350379974 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 dproc=file events dtz=default-tenant end=1631824742995 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:39:02.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:39:00.749Z ext_md5Checksum=c777bda26af371c784639bf97c796a30 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657743 ext_insertionTimestamp=2021-09-16T20:40:03.955501Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:39:02.995Z\",\"insertionTimestamp\":\"2021-09-16T20:40:03.955501Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657743,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c777bda26af371c784639bf97c796a30\",\"sha256Checksum\":\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:39:00.749Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:39:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61342_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fd13adc-a57f-52b3-afec-f4d6286a241e", "observed_start_time": "2021-09-16T20:39:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:39:02.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:39:00.749Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a", "2021-09-16T20:40:29.204Z", 6657743, "code42-exfil-share-datatype", "c777bda26af371c784639bf97c796a30", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:39:02.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.898Z 804e3b095828 Skyformation - 4866351305492022215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715898 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.898Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:16.117Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567962Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.422Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.898Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567962Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T19:15:15.422Z\",\"modifyTimestamp\":\"2021-09-16T19:15:16.117Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f72d64ad-9c47-5fe9-abad-e1411db140d1", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.898Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:16.117Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.168Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.898Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.422Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:17:02.470Z 804e3b095828 Skyformation - 3355602177351257247 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 dproc=file events dtz=default-tenant end=1631823422470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:17:02.470Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:17:00.510Z ext_md5Checksum=79e223064e50c50dc63e89e30862e8f4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657105 ext_insertionTimestamp=2021-09-16T20:18:24.025397Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:17:02.470Z\",\"insertionTimestamp\":\"2021-09-16T20:18:24.025397Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"79e223064e50c50dc63e89e30862e8f4\",\"sha256Checksum\":\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:17:00.510Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6d5a20a2-f50e-5f19-a010-b1be1e470e1d", "observed_start_time": "2021-09-16T20:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:17:02.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:17:00.510Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3", "2021-09-16T20:20:29.219Z", 6657105, "code42-exfil-share-datatype", "79e223064e50c50dc63e89e30862e8f4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:17:02.470Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.801Z 804e3b095828 Skyformation - 621632533739725350 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723801 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.801Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567212Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.801Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567212Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4ae4ea8f-75b0-5f70-bab5-178877150abf", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.801Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.158Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.801Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:49:02.292Z 804e3b095828 Skyformation - 1350603041899679478 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 dproc=file events dtz=default-tenant end=1631832542292 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:49:02.292Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:49:00.527Z ext_md5Checksum=e36e7a007a335fab0b5c84fd64dfdccc ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661513 ext_insertionTimestamp=2021-09-16T22:50:23.782238Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:49:02.292Z\",\"insertionTimestamp\":\"2021-09-16T22:50:23.782238Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661513,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e36e7a007a335fab0b5c84fd64dfdccc\",\"sha256Checksum\":\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:49:00.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:49:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61444_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-af4fbb0a-af39-5538-9106-9b2db2646476", "observed_start_time": "2021-09-16T22:49:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "e6bed5f8-b4eb-48c3-a7d6-93dcd222e271", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:49:02.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:49:00.527Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca", "2021-09-16T22:52:31.870Z", 6661513, "code42-exfil-share-datatype", "e36e7a007a335fab0b5c84fd64dfdccc", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:49:02.292Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.761Z 804e3b095828 Skyformation - 2980995002300610810 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719761 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.761Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.832Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567638Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.812Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.761Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567638Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T19:15:18.812Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.832Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c978eb4a-4e5b-5e42-870b-1d5172367949", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.761Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.832Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.168Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.761Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.812Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.897Z 804e3b095828 Skyformation - 5723685368446080373 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715897 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar fsize=41227 msg=Resource [Resource: file :: test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.897Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.419Z ext_md5Checksum=e98fb5f87aed64e2d32116bc565d2dec ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=41227 ext_insertionTimestamp=2021-09-16T19:18:39.567796Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.414Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.897Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567796Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":41227,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e98fb5f87aed64e2d32116bc565d2dec\",\"sha256Checksum\":\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\",\"createTimestamp\":\"2021-09-16T19:15:15.414Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.419Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4386ebf1-b7bd-5cc7-9d76-25107a9a2069", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.897Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.419Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806", "2021-09-16T19:20:29.157Z", 41227, "code42-exfil-share-datatype", "e98fb5f87aed64e2d32116bc565d2dec", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.897Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.414Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.821Z 804e3b095828 Skyformation - 1605658926549055429 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723821 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.821Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567392Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.821Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567392Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2481047e-5ae4-543b-9028-8e19e3e05566", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.821Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.170Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.821Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:01:01.023Z 804e3b095828 Skyformation - 2456916627922492488 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 dproc=file events dtz=default-tenant end=1631822461023 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:01:01.023Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:01:00.608Z ext_md5Checksum=2ee6250bd1e7bd8600f0961bd3324d4e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656641 ext_insertionTimestamp=2021-09-16T20:02:04.344088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:01:01.023Z\",\"insertionTimestamp\":\"2021-09-16T20:02:04.344088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656641,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2ee6250bd1e7bd8600f0961bd3324d4e\",\"sha256Checksum\":\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:01:00.608Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fc4db0ba-18cc-5107-a914-084f635c52af", "observed_start_time": "2021-09-16T20:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:01:01.023Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:01:00.608Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54", "2021-09-16T20:04:28.310Z", 6656641, "code42-exfil-share-datatype", "2ee6250bd1e7bd8600f0961bd3324d4e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:01:01.023Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.772Z 804e3b095828 Skyformation - 8294759705628931815 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.095Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.568008Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.884Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568008Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T19:15:17.884Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.095Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f63d3086-bd17-55ab-81cc-54fc91e7d10b", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.095Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.172Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.884Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:44:00.556Z 804e3b095828 Skyformation - 8674733544075329242 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 dproc=file events dtz=default-tenant end=1631828640556 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:44:00.556Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:44:00.149Z ext_md5Checksum=32ef24cfa95d52085eea12935c55f475 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659628 ext_insertionTimestamp=2021-09-16T21:45:15.841469Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:44:00.556Z\",\"insertionTimestamp\":\"2021-09-16T21:45:15.841469Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659628,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"32ef24cfa95d52085eea12935c55f475\",\"sha256Checksum\":\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:44:00.149Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:44:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-23911c2c-7e26-51bc-9fea-5f05b4c871cf", "observed_start_time": "2021-09-16T21:44:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:44:00.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:44:00.149Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a", "2021-09-16T21:46:29.997Z", 6659628, "code42-exfil-share-datatype", "32ef24cfa95d52085eea12935c55f475", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:44:00.556Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.085Z 804e3b095828 Skyformation - 8692612087128247895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724085 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.085Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567190Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.085Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567190Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08f2fe68-910f-5dc7-94c4-c7d30afc8519", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.085Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.170Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.085Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-75e7c90f-681b-5167-ab1f-93253718bf60", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "9bbedf60-14c7-4119-88a5-0980db51cd12", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 5692899194704443110 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Java.sh fsize=165 msg=Resource [Resource: file :: launchTest42Console-Java.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Java.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.020Z ext_md5Checksum=3b387d2bf8ce6d3b92a5f1db751813f9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=165 ext_insertionTimestamp=2021-09-16T19:18:39.568109Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.019Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568109Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Java.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":165,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3b387d2bf8ce6d3b92a5f1db751813f9\",\"sha256Checksum\":\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\",\"createTimestamp\":\"2021-09-16T14:29:41.019Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.020Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-45612c08-8262-5116-a9f8-17732756f8ff", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Java.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.020Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361", "2021-09-16T19:20:29.168Z", 165, "code42-exfil-share-datatype", "3b387d2bf8ce6d3b92a5f1db751813f9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.019Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:28:00.876Z 804e3b095828 Skyformation - 8042611856875895468 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 dproc=file events dtz=default-tenant end=1631831280876 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:28:00.876Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:28:00.304Z ext_md5Checksum=453ec6ef064fa5bc0c6f50ee2d5204e5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660904 ext_insertionTimestamp=2021-09-16T22:28:42.643367Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:28:00.876Z\",\"insertionTimestamp\":\"2021-09-16T22:28:42.643367Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660904,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"453ec6ef064fa5bc0c6f50ee2d5204e5\",\"sha256Checksum\":\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:28:00.304Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:28:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61426_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5a4f38a7-721b-5a46-af92-9b379e22e83f", "observed_start_time": "2021-09-16T22:28:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "4b7ab028-acaa-4fb1-b37e-526ecd458912", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:28:00.876Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:28:00.304Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108", "2021-09-16T22:30:29.500Z", 6660904, "code42-exfil-share-datatype", "453ec6ef064fa5bc0c6f50ee2d5204e5", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:28:00.876Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a65e4551-47d7-5f70-a259-006cd2ea2894", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "f0a0ad4f-0f73-4ac4-96d8-488f86fa742f", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:14.828Z 804e3b095828 Skyformation - 4988657070909514900 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819714828 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:14.828Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:13.679Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567549Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:13.658Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:14.828Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567549Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T19:15:13.658Z\",\"modifyTimestamp\":\"2021-09-16T19:15:13.679Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:14Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-747337c7-1290-5526-abdf-d50e6103d1ac", "observed_start_time": "2021-09-16T19:15:14Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:14.828Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:13.679Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.172Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:14.828Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:13.658Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.775Z 804e3b095828 Skyformation - 235457846511697461 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718775 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.775Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.687Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567939Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.378Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.775Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567939Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T19:15:18.378Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.687Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0d18a5dd-0e2a-5b84-b619-3d537c56b3d0", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.775Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.687Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.172Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.775Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.378Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:39:00.951Z 804e3b095828 Skyformation - 3085221760796449695 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 dproc=file events dtz=default-tenant end=1631828340951 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:39:00.951Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:39:00.700Z ext_md5Checksum=5a797dc0a97885951ef7fd87b6f564fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659483 ext_insertionTimestamp=2021-09-16T21:39:50.425897Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:39:00.951Z\",\"insertionTimestamp\":\"2021-09-16T21:39:50.425897Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659483,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5a797dc0a97885951ef7fd87b6f564fe\",\"sha256Checksum\":\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:39:00.700Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-de89ae13-1740-5d1b-89bb-f85121f0cd75", "observed_start_time": "2021-09-16T21:39:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:39:00.951Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:39:00.700Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c", "2021-09-16T21:40:29.785Z", 6659483, "code42-exfil-share-datatype", "5a797dc0a97885951ef7fd87b6f564fe", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:39:00.951Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.769Z 804e3b095828 Skyformation - 6627546699421659495 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719769 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.769Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.052Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568143Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.979Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.769Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568143Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T19:15:18.979Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.052Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3d31370-5f9b-5151-b1b4-1106238db7e9", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.769Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.052Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.167Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.769Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.979Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.893Z 804e3b095828 Skyformation - 4881423058587582298 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715893 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.893Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.133Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567870Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:14.961Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.893Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567870Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T19:15:14.961Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.133Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fcfc53ce-2a59-58e6-8c35-da34b1db1be7", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.893Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.133Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.169Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.893Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:14.961Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.773Z 804e3b095828 Skyformation - 2796256343079738721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718773 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.773Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.342Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568031Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.148Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.773Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568031Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T19:15:18.148Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.342Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-82473b8d-7e74-50ea-9744-5b08a75c0f86", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.773Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.342Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.159Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.773Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.148Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 1490067587399469079 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.147Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.567997Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.911Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567997Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T14:29:30.911Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.147Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-600d5056-d56f-5d29-8735-28d002a0177c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.147Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.157Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.911Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:50:02.277Z 804e3b095828 Skyformation - 5602684442482280736 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 dproc=file events dtz=default-tenant end=1631829002277 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:50:02.277Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:50:00.880Z ext_md5Checksum=b817fe0a78cbc9235abc6adce11beb39 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659802 ext_insertionTimestamp=2021-09-16T21:51:03.096935Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:50:02.277Z\",\"insertionTimestamp\":\"2021-09-16T21:51:03.096935Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659802,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b817fe0a78cbc9235abc6adce11beb39\",\"sha256Checksum\":\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:50:00.880Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8c564a5c-edc3-541c-989b-c9b6584537a0", "observed_start_time": "2021-09-16T21:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:50:02.277Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:50:00.880Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c", "2021-09-16T21:52:29.135Z", 6659802, "code42-exfil-share-datatype", "b817fe0a78cbc9235abc6adce11beb39", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:50:02.277Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.993Z 804e3b095828 Skyformation - 8176639218918911133 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711993 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console.runtimeconfig.json fsize=105 msg=Resource [Resource: file :: Test42Console.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.993Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.653Z ext_md5Checksum=ba8f99b0518b43d8e5cdf3ea1356c600 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105 ext_insertionTimestamp=2021-09-16T19:18:39.567470Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.651Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.993Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567470Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ba8f99b0518b43d8e5cdf3ea1356c600\",\"sha256Checksum\":\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\",\"createTimestamp\":\"2021-09-16T14:29:32.651Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.653Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c0e83a93-2af4-5d37-babd-10b1452f228d", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.993Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.653Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86", "2021-09-16T19:20:29.168Z", 105, "code42-exfil-share-datatype", "ba8f99b0518b43d8e5cdf3ea1356c600", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.993Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.651Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.008Z 804e3b095828 Skyformation - 2619095453314890827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712008 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-string-18.0.194-develop-194.jar fsize=14758 msg=Resource [Resource: file :: test42-fixture-string-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.008Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-string-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.375Z ext_md5Checksum=0c1b42a22fa41253e0a883a3c2147fa9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14758 ext_insertionTimestamp=2021-09-16T19:18:39.568043Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.371Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.008Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568043Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-string-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14758,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0c1b42a22fa41253e0a883a3c2147fa9\",\"sha256Checksum\":\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\",\"createTimestamp\":\"2021-09-16T14:29:26.371Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.375Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d692ff50-8a73-5b7c-887a-7ac69931a5ce", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.008Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-string-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.375Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c", "2021-09-16T19:20:29.168Z", 14758, "code42-exfil-share-datatype", "0c1b42a22fa41253e0a883a3c2147fa9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.008Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.371Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 465235528329935198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.563Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567718Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.281Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567718Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T14:29:30.281Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.563Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e7fd42a-7da6-52ff-a103-0ef33800ab52", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.563Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.168Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.281Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.820Z 804e3b095828 Skyformation - 3517425595454456489 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723820 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was created by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.820Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567369Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.820Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567369Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e830775-5347-525c-aedd-78a6ed9a978d", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.820Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "CREATED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.167Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.820Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 4664902644332636172 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar fsize=14514207 msg=Resource [Resource: file :: test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:29.203Z ext_md5Checksum=34dd2200b09a5c51bbd84acdeb98b606 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14514207 ext_insertionTimestamp=2021-09-16T19:18:39.567904Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:28.792Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567904Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14514207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"34dd2200b09a5c51bbd84acdeb98b606\",\"sha256Checksum\":\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\",\"createTimestamp\":\"2021-09-16T14:29:28.792Z\",\"modifyTimestamp\":\"2021-09-16T14:29:29.203Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1a735af4-fe4a-5bf6-8aa8-32b39f6cb717", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:29.203Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e", "2021-09-16T19:20:29.158Z", 14514207, "code42-exfil-share-datatype", "34dd2200b09a5c51bbd84acdeb98b606", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:28.792Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:23:01.992Z 804e3b095828 Skyformation - 134014797071545939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 dproc=file events dtz=default-tenant end=1631823781992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:23:01.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:23:00.252Z ext_md5Checksum=e95fbbc4261d5827634041a0f12107a0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657279 ext_insertionTimestamp=2021-09-16T20:23:47.534223Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:23:01.992Z\",\"insertionTimestamp\":\"2021-09-16T20:23:47.534223Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657279,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e95fbbc4261d5827634041a0f12107a0\",\"sha256Checksum\":\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:23:00.252Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36285ceb-2bb5-537c-aee4-140da8e61c9d", "observed_start_time": "2021-09-16T20:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:23:01.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T20:23:00.252Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09", "2021-09-16T20:24:29.211Z", 6657279, "code42-exfil-share-datatype", "e95fbbc4261d5827634041a0f12107a0", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:23:01.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:39:00.979Z 804e3b095828 Skyformation - 2580885261986268761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 dproc=file events dtz=default-tenant end=1631831940979 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:39:00.979Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:39:00.479Z ext_md5Checksum=693b07e79c0ed75e36f7a60f836ef1a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661223 ext_insertionTimestamp=2021-09-16T22:39:31.810355Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:39:00.979Z\",\"insertionTimestamp\":\"2021-09-16T22:39:31.810355Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661223,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"693b07e79c0ed75e36f7a60f836ef1a9\",\"sha256Checksum\":\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:39:00.479Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bbe544a7-4712-503d-8e2b-e850af9a8a35", "observed_start_time": "2021-09-16T22:39:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "fadc76ee-cf2d-4cbd-b0ed-7a1ca4a07aec", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:39:00.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:39:00.479Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0", "2021-09-16T22:40:29.619Z", 6661223, "code42-exfil-share-datatype", "693b07e79c0ed75e36f7a60f836ef1a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:39:00.979Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 3347113359677108016 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XmlSerializer.dll fsize=8704 msg=Resource [Resource: file :: System.Xml.XmlSerializer.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlSerializer.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=0cc4665479b5e519b2597b93577de1aa ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8704 ext_insertionTimestamp=2021-09-16T19:18:39.567112Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567112Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlSerializer.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8704,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0cc4665479b5e519b2597b93577de1aa\",\"sha256Checksum\":\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8e336e0-e775-5f81-a1d7-1d703bd8e157", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlSerializer.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba", "2021-09-16T19:20:29.167Z", 8704, "code42-exfil-share-datatype", "0cc4665479b5e519b2597b93577de1aa", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:23:02.291Z 804e3b095828 Skyformation - 2954122368002305264 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 dproc=file events dtz=default-tenant end=1631827382291 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:23:02.291Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:23:00.987Z ext_md5Checksum=8a6258884d44fdd107707ad5c0cf2bea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659019 ext_insertionTimestamp=2021-09-16T21:23:35.061605Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:23:02.291Z\",\"insertionTimestamp\":\"2021-09-16T21:23:35.061605Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659019,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8a6258884d44fdd107707ad5c0cf2bea\",\"sha256Checksum\":\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:23:00.987Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:23:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61418_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e37db0d-c059-56cc-8397-ed743e0042df", "observed_start_time": "2021-09-16T21:23:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:23:02.291Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:23:00.987Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b", "2021-09-16T21:24:29.095Z", 6659019, "code42-exfil-share-datatype", "8a6258884d44fdd107707ad5c0cf2bea", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:23:02.291Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "76c97484-2a68-423b-8253-74077ffe7d5a", "observable": {"key": "2dde50ee-8aa4-4e5b-83b7-465c8f586c94", "value": "kathy.kane@c42se.com", "indicators": [], "type": "email", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "eb1b756a", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "email", "value": "kathy.kane@c42se.com"}, "type": "warning", "action_id": "194360e4-b8f2-44b6-9386-2d9df7a3a549", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "kathy.kane@c42se.com", "id": "eb1b756a", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:45:02.992Z 804e3b095828 Skyformation - 7407412671789166693 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 dproc=file events dtz=default-tenant end=1631821502992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:45:02.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:45:00.674Z ext_md5Checksum=fdd100bc2a43a9756c77a0f9bc9a6bb1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656177 ext_insertionTimestamp=2021-09-16T19:46:24.888007Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211955968341899_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:45:02.992Z\",\"insertionTimestamp\":\"2021-09-16T19:46:24.888007Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656177,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fdd100bc2a43a9756c77a0f9bc9a6bb1\",\"sha256Checksum\":\"d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:45:00.674Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:45:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-031676c5-8fde-5d2f-a294-dcc4907a8027", "observed_start_time": "2021-09-16T19:45:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:45:02.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:45:00.674Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d3a163af34ef9ad789972c9544f3faf38994b6972645cd6f42da151caa9eb58b", "2021-09-16T19:46:29.180Z", 6656177, "code42-exfil-share-datatype", "fdd100bc2a43a9756c77a0f9bc9a6bb1", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:45:02.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 7344986800471780939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.617Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568132Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.538Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_328\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568132Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T14:29:32.538Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.617Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-12273ce2-c1f1-56d6-940c-1caa8cc3def0", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.617Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.169Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.538Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:17:02.424Z 804e3b095828 Skyformation - 1426281696218831775 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 dproc=file events dtz=default-tenant end=1631830622424 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:17:02.424Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:17:01.080Z ext_md5Checksum=45271570c0b4116a1346bc72d738bdb7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660585 ext_insertionTimestamp=2021-09-16T22:18:10.576136Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227259792455563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:17:02.424Z\",\"insertionTimestamp\":\"2021-09-16T22:18:10.576136Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660585,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"45271570c0b4116a1346bc72d738bdb7\",\"sha256Checksum\":\"7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:17:01.080Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d8f5eeb-ef31-559e-bd07-4110d914aed6", "observed_start_time": "2021-09-16T22:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:17:02.424Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:17:01.080Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7aadf4aedf4e13c63e9b6ed794369c175ac01403ac4a92299b0c8b4c48aab9cf", "2021-09-16T22:18:30.436Z", 6660585, "code42-exfil-share-datatype", "45271570c0b4116a1346bc72d738bdb7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:17:02.424Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-14468291-feda-589f-aff6-c26b375c9a21", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "1430cdb0-e2b9-48e8-b049-c6d851398a76", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.064Z 804e3b095828 Skyformation - 4009757464107454250 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724064 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.064Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566878Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_23\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.064Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566878Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87f5bd74-534f-5452-9443-5780f3c04592", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.064Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.064Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4235368662387611807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567001Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_54\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567001Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd2c1f21-0ba5-54a9-a265-cebe9ec4f240", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.157Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:17.834Z 804e3b095828 Skyformation - 7862693865552891800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819717834 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:17.834Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.599Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567729Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.382Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_235\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:17.834Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567729Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T19:15:17.382Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.599Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:17Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f1a61cc-36a1-5d00-b37d-186d933c3aff", "observed_start_time": "2021-09-16T19:15:17Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:17.834Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.599Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.170Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:17.834Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.382Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:12:02.578Z 804e3b095828 Skyformation - 1251318046287163167 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 dproc=file events dtz=default-tenant end=1631826722578 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:12:02.578Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:12:00.729Z ext_md5Checksum=dbc1cb1cfb3298c65169ae22e5f6f7c3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658700 ext_insertionTimestamp=2021-09-16T21:12:39.659856Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220699900999563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:12:02.578Z\",\"insertionTimestamp\":\"2021-09-16T21:12:39.659856Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658700,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dbc1cb1cfb3298c65169ae22e5f6f7c3\",\"sha256Checksum\":\"04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:12:00.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:12:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61383_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61383_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-762de8d1-3a28-5dc3-9b5a-a2f4a034504c", "observed_start_time": "2021-09-16T21:12:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:12:02.578Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:12:00.729Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "04bc7eac655f1ccacf60e33a13685a1b4e205ceed4c53e2d280e2fd1342d9a86", "2021-09-16T21:14:30.111Z", 6658700, "code42-exfil-share-datatype", "dbc1cb1cfb3298c65169ae22e5f6f7c3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:12:02.578Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.805Z 804e3b095828 Skyformation - 3819734286974639827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723805 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.805Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567280Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_131\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.805Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567280Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-452a4ed9-abce-5890-a830-82ddb5eaa49b", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.805Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.168Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.805Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.076Z 804e3b095828 Skyformation - 58928744233355401 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724076 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Serialization.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.Serialization.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.076Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Serialization.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=9f738865f15c0a0be0e20e709bc3d36d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567012Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_59\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.076Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567012Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Serialization.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9f738865f15c0a0be0e20e709bc3d36d\",\"sha256Checksum\":\"68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-10061513-9751-5b3c-852f-d7df4246f094", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.076Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Serialization.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "68cdc78faea3267194edb12d485a57e9a5782a1ba848578330c7b77d0ec02c34", "2021-09-16T19:20:29.167Z", 6656, "code42-exfil-share-datatype", "9f738865f15c0a0be0e20e709bc3d36d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.076Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 462618621597382345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.137Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567927Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.822Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_278\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567927Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T14:29:31.822Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.137Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-97403b8e-6aff-5cd3-a460-803204a1cfc9", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.137Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.169Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.822Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 6416722578617098322 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-alert-service-rest-1.2.2.jar fsize=7019539 msg=Resource [Resource: file :: test42-fixture-code42-alert-service-rest-1.2.2.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-alert-service-rest-1.2.2.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.763Z ext_md5Checksum=df05453fe8178232379ca092d4b68707 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7019539 ext_insertionTimestamp=2021-09-16T19:18:39.567740Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.546Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_236\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567740Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-alert-service-rest-1.2.2.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7019539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"df05453fe8178232379ca092d4b68707\",\"sha256Checksum\":\"6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab\",\"createTimestamp\":\"2021-09-16T14:29:27.546Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.763Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-412a5023-44d2-5525-a625-4f57e9139e3c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-alert-service-rest-1.2.2.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.763Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "6bf45e14094c315043755ebc6634593ae72345ee9e09c3d1221e0a8572faa4ab", "2021-09-16T19:20:29.168Z", 7019539, "code42-exfil-share-datatype", "df05453fe8178232379ca092d4b68707", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.546Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:22:01.088Z 804e3b095828 Skyformation - 4749241203676691576 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 dproc=file events dtz=default-tenant end=1631830921088 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:22:01.088Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:22:00.690Z ext_md5Checksum=8e515a38447fb49fafaa3e7170033bae ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660730 ext_insertionTimestamp=2021-09-16T22:23:15.723548Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025227806310266763_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:22:01.088Z\",\"insertionTimestamp\":\"2021-09-16T22:23:15.723548Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660730,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8e515a38447fb49fafaa3e7170033bae\",\"sha256Checksum\":\"5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:22:00.690Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:22:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61425_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61425_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ad96c6e7-6d2f-5df9-b6e7-d303a7b7f923", "observed_start_time": "2021-09-16T22:22:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a7fd941d-edea-4706-9699-2a2f79ca15d2", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:22:01.088Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:22:00.690Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f9e133c60977f9a97e9564f362b97d1243d7348932837867b30de230f782a1f", "2021-09-16T22:24:29.693Z", 6660730, "code42-exfil-share-datatype", "8e515a38447fb49fafaa3e7170033bae", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:22:01.088Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7158143674742709094 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567291Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_132\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567291Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8198bde8-0245-5e2a-93fc-59c66fb696e4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:33:01.185Z 804e3b095828 Skyformation - 4460753087283045225 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 dproc=file events dtz=default-tenant end=1631831581185 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:33:01.185Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:33:00.790Z ext_md5Checksum=7075f5a9476afb66da2971d452418a61 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661049 ext_insertionTimestamp=2021-09-16T22:34:07.862615Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228899798873995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:33:01.185Z\",\"insertionTimestamp\":\"2021-09-16T22:34:07.862615Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661049,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7075f5a9476afb66da2971d452418a61\",\"sha256Checksum\":\"5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:33:00.790Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b6618a95-257a-52f5-b542-b6a877095e4e", "observed_start_time": "2021-09-16T22:33:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "aa545d84-3600-423b-b4c0-36ff943bb68d", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:33:01.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:33:00.790Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5f5b6e0e3a6324b57b586c6a27e1e104e227d94b7e2e1ad01109a27eefe019d7", "2021-09-16T22:36:29.677Z", 6661049, "code42-exfil-share-datatype", "7075f5a9476afb66da2971d452418a61", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:33:01.185Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 1247614792973000445 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XPath.XDocument.dll fsize=7680 msg=Resource [Resource: file :: System.Xml.XPath.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XPath.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=82e06f761ac5ea823337cc0ea0d80265 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7680 ext_insertionTimestamp=2021-09-16T19:18:39.567046Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_66\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567046Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XPath.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7680,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"82e06f761ac5ea823337cc0ea0d80265\",\"sha256Checksum\":\"4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f6636ef7-9d0d-57a5-b89c-a4a08d818f4a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XPath.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "4d798f3db740caad411172282ea686ea27ee9fc4abb4180806aabf088be0efec", "2021-09-16T19:20:29.169Z", 7680, "code42-exfil-share-datatype", "82e06f761ac5ea823337cc0ea0d80265", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:50:02.626Z 804e3b095828 Skyformation - 7056838657966092182 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 dproc=file events dtz=default-tenant end=1631825402626 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:50:02.626Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:50:01.081Z ext_md5Checksum=0e3e512e4db31fdca7839138ea07c3cd ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658062 ext_insertionTimestamp=2021-09-16T20:51:13.592006Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025218514182076299_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:50:02.626Z\",\"insertionTimestamp\":\"2021-09-16T20:51:13.592006Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658062,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0e3e512e4db31fdca7839138ea07c3cd\",\"sha256Checksum\":\"6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:50:01.081Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-95ca0967-17bd-5ba1-9638-937d30c72aa1", "observed_start_time": "2021-09-16T20:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:50:02.626Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:50:01.081Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6606ef2fbcdf91dbe85f724dc61d988fa96c3760ce3df6c47b516f9f07b2a723", "2021-09-16T20:52:28.713Z", 6658062, "code42-exfil-share-datatype", "0e3e512e4db31fdca7839138ea07c3cd", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:50:02.626Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.999Z 804e3b095828 Skyformation - 8907642681921436779 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711999 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.999Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.646Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567448Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.629Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_170\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.999Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567448Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T14:29:32.629Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.646Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c5d953b-5212-5c47-8f16-8cdaa3e74600", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.999Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.646Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.170Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.999Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.629Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.806Z 804e3b095828 Skyformation - 8403369398149844084 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723806 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libmscordaccore.dylib fsize=2802552 msg=Resource [Resource: file :: libmscordaccore.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.806Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libmscordaccore.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:31:44Z ext_md5Checksum=854aa71660522e18506cc263cecea7e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2802552 ext_insertionTimestamp=2021-09-16T19:18:39.567302Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:31:44Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_137\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.806Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567302Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libmscordaccore.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2802552,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"854aa71660522e18506cc263cecea7e2\",\"sha256Checksum\":\"6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab\",\"createTimestamp\":\"2020-01-17T02:31:44Z\",\"modifyTimestamp\":\"2020-01-17T02:31:44Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-02f5047e-64c3-5227-9027-ce0ddb3f83f9", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.806Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libmscordaccore.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:31:44Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "6327005a26ef1d323b473137c1cd8e51bf9e7d142e078fc9191eaa05283507ab", "2021-09-16T19:20:29.169Z", 2802552, "code42-exfil-share-datatype", "854aa71660522e18506cc263cecea7e2", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.806Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:31:44Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.995Z 804e3b095828 Skyformation - 4477219442250454415 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711995 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.runtimeconfig.json fsize=146 msg=Resource [Resource: file :: Test42Console-8.2.3.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.527Z ext_md5Checksum=3f892e3babc6c74c9637579412fbd0c0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=146 ext_insertionTimestamp=2021-09-16T19:18:39.567426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.522Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_166\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.995Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":146,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3f892e3babc6c74c9637579412fbd0c0\",\"sha256Checksum\":\"938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2\",\"createTimestamp\":\"2021-09-16T14:29:32.522Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a4735e80-2d88-5e48-8ae4-82cd2dea6439", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console-8.2.3.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.527Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "938ea41c4137c80f51f6f49bc6dbccace3bcf5f9277c9e41a4b8daad8f3527a2", "2021-09-16T19:20:29.172Z", 146, "code42-exfil-share-datatype", "3f892e3babc6c74c9637579412fbd0c0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.522Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.772Z 804e3b095828 Skyformation - 5124683873500115467 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=Test42Console-8.2.3.zip fsize=450936 msg=Resource [Resource: file :: Test42Console-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.077Z ext_md5Checksum=58a95b2ee03992ee00ce01ec759b00c8 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=450936 ext_insertionTimestamp=2021-09-16T19:18:39.567459Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:19.063Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_173\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567459Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":450936,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"58a95b2ee03992ee00ce01ec759b00c8\",\"sha256Checksum\":\"8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71\",\"createTimestamp\":\"2021-09-16T19:15:19.063Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.077Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-675576df-ceb0-5a0d-9bfc-3108c7890515", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "Test42Console-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.077Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "8083c21fa5e935672a339ee59894072aacadbb246deae64ee5aaaddee6952a71", "2021-09-16T19:20:29.169Z", 450936, "code42-exfil-share-datatype", "58a95b2ee03992ee00ce01ec759b00c8", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:19.063Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 7017112942517350907 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was deleted by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567358Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_150\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567358Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-071fc5f2-9af0-594f-8c83-88575846f14e", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "DELETED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.170Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:50:02.065Z 804e3b095828 Skyformation - 8498846088421542075 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 dproc=file events dtz=default-tenant end=1631821802065 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:50:02.065Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:50:00.154Z ext_md5Checksum=419c9c07c999bc2c71e9c8e0d74b3977 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656322 ext_insertionTimestamp=2021-09-16T19:51:24.240399Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025212502771365771_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:50:02.065Z\",\"insertionTimestamp\":\"2021-09-16T19:51:24.240399Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656322,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"419c9c07c999bc2c71e9c8e0d74b3977\",\"sha256Checksum\":\"c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:50:00.154Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b860517a-d359-5618-b9da-cbb484cb38e6", "observed_start_time": "2021-09-16T19:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:50:02.065Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:50:00.154Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "c5a4e15df683ddb7a1fafbf174a44a6a2efc2a06b271d6c68e285812eecc96bb", "2021-09-16T19:52:28.142Z", 6656322, "code42-exfil-share-datatype", "419c9c07c999bc2c71e9c8e0d74b3977", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:50:02.065Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:23:01.314Z 804e3b095828 Skyformation - 930370924908933384 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 dproc=file events dtz=default-tenant end=1631820181314 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:23:01.314Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:23:00.067Z ext_md5Checksum=8ce945a5034d673a8c3df84df944e9e2 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655539 ext_insertionTimestamp=2021-09-16T19:24:05.872543Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209769326671755_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:23:01.314Z\",\"insertionTimestamp\":\"2021-09-16T19:24:05.872543Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655539,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8ce945a5034d673a8c3df84df944e9e2\",\"sha256Checksum\":\"eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:23:00.067Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61298_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61298_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-edf54539-1473-5d66-97c1-f95cf9899b35", "observed_start_time": "2021-09-16T19:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:23:01.314Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:23:00.067Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "eb1835f842d753be45edd5694df8edf0d26daa299a5b06b94a4e5f8b57fd4e0f", "2021-09-16T19:24:29.929Z", 6655539, "code42-exfil-share-datatype", "8ce945a5034d673a8c3df84df944e9e2", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:23:01.314Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:27.623Z 804e3b095828 Skyformation - 3964934661273873169 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819727623 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was created by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:27.623Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:27.409Z ext_md5Checksum=232b292616f09cef3e0e8ba9805a2963 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568099Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:27.408Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_323\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:27.623Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568099Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"232b292616f09cef3e0e8ba9805a2963\",\"sha256Checksum\":\"88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912\",\"createTimestamp\":\"2021-09-16T19:15:27.408Z\",\"modifyTimestamp\":\"2021-09-16T19:15:27.409Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e09b581-9e7d-5195-8a38-88102b9c437d", "observed_start_time": "2021-09-16T19:15:27Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:27.623Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:27.409Z", "application/x-sh", "CREATED", "162.222.47.183", "kathy.kane", "88c0fcadab5763707c00ef932ef1af1e0e43d8211da73ebe56413ecc2b854912", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "232b292616f09cef3e0e8ba9805a2963", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:27.623Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:27.408Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:01:00.819Z 804e3b095828 Skyformation - 4261722877678484633 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 dproc=file events dtz=default-tenant end=1631826060819 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:01:00.819Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:01:00.560Z ext_md5Checksum=da192fa26ed85e10ce7bb718251110ad ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658381 ext_insertionTimestamp=2021-09-16T21:01:47.308430Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219606764713867_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:01:00.819Z\",\"insertionTimestamp\":\"2021-09-16T21:01:47.308430Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658381,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"da192fa26ed85e10ce7bb718251110ad\",\"sha256Checksum\":\"74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:01:00.560Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:01:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7711c718-0e21-5675-bb34-071d60939878", "observed_start_time": "2021-09-16T21:01:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:01:00.819Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T21:01:00.560Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "74c11aec6482789c6020f15f22c5ea558756caf7766fbb8679d8dce2e6b54e53", "2021-09-16T21:02:28.778Z", 6658381, "code42-exfil-share-datatype", "da192fa26ed85e10ce7bb718251110ad", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:01:00.819Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 6610991199308768678 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567179Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_102\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567179Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-85a1f9cb-fdf2-5bd3-8178-3d11c1f5cec4", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.168Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 2798890335140955527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567023Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_60\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567023Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ede94b18-04d2-554a-90e6-ab609600fa70", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.078Z 804e3b095828 Skyformation - 7299018334312800224 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724078 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XDocument.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.XDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.078Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=fef6c873d31e77de3f5c254593f606d0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.567035Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_65\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.078Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567035Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fef6c873d31e77de3f5c254593f606d0\",\"sha256Checksum\":\"971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f91637db-83e4-5758-b551-7c227aba1a5d", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.078Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "971ed23af5192f1de5147d0ac5e109a5672c97f3bf16f15b16b85a78e0c299d3", "2021-09-16T19:20:29.168Z", 6144, "code42-exfil-share-datatype", "fef6c873d31e77de3f5c254593f606d0", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.078Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:28:01.712Z 804e3b095828 Skyformation - 891655873053505721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 dproc=file events dtz=default-tenant end=1631827681712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:28:01.712Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:28:00.665Z ext_md5Checksum=043ea115b4517db2f0aa7c5853f7385b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659164 ext_insertionTimestamp=2021-09-16T21:28:58.572803Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222340578506635_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:28:01.712Z\",\"insertionTimestamp\":\"2021-09-16T21:28:58.572803Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659164,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"043ea115b4517db2f0aa7c5853f7385b\",\"sha256Checksum\":\"49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:28:00.665Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:28:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d5a79131-010e-5b41-9357-c3586091d05e", "observed_start_time": "2021-09-16T21:28:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:28:01.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:28:00.665Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "49a88e86913d4c5ae3671b5933b00cde145646bcb43103c6fa667aa76593b4e4", "2021-09-16T21:30:29.019Z", 6659164, "code42-exfil-share-datatype", "043ea115b4517db2f0aa7c5853f7385b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:28:01.712Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.033Z 804e3b095828 Skyformation - 5428778102527363807 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712033 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.033Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.287Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567537Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_186\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.033Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567537Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T14:29:26.269Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.287Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-04487d78-acfd-5735-a210-f113f8855f9c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.287Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.169Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.033Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1d9f33fa-cc28-5fe5-9975-5003f91369d6", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "b5e047b0-70bf-4cda-9513-e3fb2fffd016", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:06:01.028Z 804e3b095828 Skyformation - 8997259429135136842 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 dproc=file events dtz=default-tenant end=1631829961028 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:06:01.028Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:06:00.773Z ext_md5Checksum=e3826febfa687b19d431037a05e3d695 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660266 ext_insertionTimestamp=2021-09-16T22:06:57.577426Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226166756833163_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:06:01.028Z\",\"insertionTimestamp\":\"2021-09-16T22:06:57.577426Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660266,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e3826febfa687b19d431037a05e3d695\",\"sha256Checksum\":\"a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:06:00.773Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61424_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61424_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0c80d806-8279-587b-8b43-c95ce2fcdd89", "observed_start_time": "2021-09-16T22:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:06:01.028Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:06:00.773Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a21032a2a81526712a7d815497003a0ddb74293c1400e5a60c4bccf313a135c6", "2021-09-16T22:08:29.515Z", 6660266, "code42-exfil-share-datatype", "e3826febfa687b19d431037a05e3d695", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:06:01.028Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:01:01.612Z 804e3b095828 Skyformation - 5476861324589104236 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 dproc=file events dtz=default-tenant end=1631829661612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:01:01.612Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:01:00.223Z ext_md5Checksum=aa34550e46232e041e8738f575568b63 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660121 ext_insertionTimestamp=2021-09-16T22:01:32.790174Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225619819591563_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:01:01.612Z\",\"insertionTimestamp\":\"2021-09-16T22:01:32.790174Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660121,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa34550e46232e041e8738f575568b63\",\"sha256Checksum\":\"6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:01:00.223Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7f05d117-a06c-5922-8649-7708e4d80765", "observed_start_time": "2021-09-16T22:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:01:01.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:01:00.223Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6c96b2d57c5f3235ec4da5979c9b5e758c9db3e18113be70a20ef35cadf45530", "2021-09-16T22:04:30.120Z", 6660121, "code42-exfil-share-datatype", "aa34550e46232e041e8738f575568b63", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:01:01.612Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:39:03.445Z 804e3b095828 Skyformation - 2624752478966021475 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 dproc=file events dtz=default-tenant end=1631821143445 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:39:03.445Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:39:01.028Z ext_md5Checksum=2f0e54e1e35e34e9a4b6c5b586789edf ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656003 ext_insertionTimestamp=2021-09-16T19:40:23.773101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025211409265981323_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:39:03.445Z\",\"insertionTimestamp\":\"2021-09-16T19:40:23.773101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656003,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2f0e54e1e35e34e9a4b6c5b586789edf\",\"sha256Checksum\":\"22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:39:01.028Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:39:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61338_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61338_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d473561a-d486-58d7-9d54-79dca5b2d69e", "observed_start_time": "2021-09-16T19:39:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:39:03.445Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:39:01.028Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "22552b628e8c9133c2c2f17f1879171ae6d75c4f393c379876bad7750f9f0534", "2021-09-16T19:40:28.880Z", 6656003, "code42-exfil-share-datatype", "2f0e54e1e35e34e9a4b6c5b586789edf", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:39:03.445Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:55:01.913Z 804e3b095828 Skyformation - 1768128187348227515 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 dproc=file events dtz=default-tenant end=1631829301913 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:55:01.913Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:55:00.543Z ext_md5Checksum=dc00517c1ea40d76a86ac0775630315b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659947 ext_insertionTimestamp=2021-09-16T21:56:06.248063Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025225073268225931_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:55:01.913Z\",\"insertionTimestamp\":\"2021-09-16T21:56:06.248063Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659947,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"dc00517c1ea40d76a86ac0775630315b\",\"sha256Checksum\":\"dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:55:00.543Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61422_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61422_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-15c0c9b0-6bdf-53a1-add0-1f2928d4286d", "observed_start_time": "2021-09-16T21:55:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:55:01.913Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:55:00.543Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "dc40599985c8377aa4c89ae8664be51f745f20bf49515bd8d12d446a483e2e37", "2021-09-16T21:58:29.321Z", 6659947, "code42-exfil-share-datatype", "dc00517c1ea40d76a86ac0775630315b", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:55:01.913Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:17:01.240Z 804e3b095828 Skyformation - 6379287197034431494 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 dproc=file events dtz=default-tenant end=1631827021240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:17:01.240Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:17:00.229Z ext_md5Checksum=37d786d2ffe3997a1a4913f817e1163c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658845 ext_insertionTimestamp=2021-09-16T21:18:05.961899Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221246787909515_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:17:01.240Z\",\"insertionTimestamp\":\"2021-09-16T21:18:05.961899Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658845,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"37d786d2ffe3997a1a4913f817e1163c\",\"sha256Checksum\":\"144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:17:00.229Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:17:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61401_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61401_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e4fc7d1-49ea-5c9b-bca5-6f1b79386f29", "observed_start_time": "2021-09-16T21:17:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:17:01.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:17:00.229Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "144b4c2832ab13eda22cccdac0ee6d1ac8e2738eb7df1592708f28c3bd4ed817", "2021-09-16T21:18:29.165Z", 6658845, "code42-exfil-share-datatype", "37d786d2ffe3997a1a4913f817e1163c", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:17:01.240Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 7619218699635329950 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567201Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_108\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567201Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66849bfc-3193-508e-8ee8-6bb759846345", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.167Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:06:01.487Z 804e3b095828 Skyformation - 6710622959611147958 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 dproc=file events dtz=default-tenant end=1631826361487 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:06:01.487Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:06:00.163Z ext_md5Checksum=60bf5e7434748875904b3d240e9933b7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658526 ext_insertionTimestamp=2021-09-16T21:07:13.335410Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025220153316079499_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:06:01.487Z\",\"insertionTimestamp\":\"2021-09-16T21:07:13.335410Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658526,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"60bf5e7434748875904b3d240e9933b7\",\"sha256Checksum\":\"f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:06:00.163Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:06:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61346_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61346_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-367d899b-650f-51b4-a6a1-0534a3961b75", "observed_start_time": "2021-09-16T21:06:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:06:01.487Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:06:00.163Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "f3728191bc8440d5318d91ae0a509e20b3b40f6b3400c728e46b23de8effa7ba", "2021-09-16T21:08:28.978Z", 6658526, "code42-exfil-share-datatype", "60bf5e7434748875904b3d240e9933b7", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:06:01.487Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:34:01.736Z 804e3b095828 Skyformation - 2573052291884632109 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 dproc=file events dtz=default-tenant end=1631820841736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:34:01.736Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:34:00.437Z ext_md5Checksum=5082d25b519827369f4026d1de2ee6ca ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6655858 ext_insertionTimestamp=2021-09-16T19:34:57.134540Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025210862949496715_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:34:01.736Z\",\"insertionTimestamp\":\"2021-09-16T19:34:57.134540Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6655858,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5082d25b519827369f4026d1de2ee6ca\",\"sha256Checksum\":\"7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:34:00.437Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61335_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61335_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d0c40d9-1a17-5018-b60d-c3342b98c94c", "observed_start_time": "2021-09-16T19:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:34:01.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:34:00.437Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7258a75e53776fde67f3d955793dd70109b78343b26cadf10c76c4095391951b", "2021-09-16T19:36:28.977Z", 6655858, "code42-exfil-share-datatype", "5082d25b519827369f4026d1de2ee6ca", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:34:01.736Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 2397866919275056029 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Web.HttpUtility.dll fsize=36864 msg=Resource [Resource: file :: System.Web.HttpUtility.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Web.HttpUtility.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=306b1de856625f7499d783f7b4b79f38 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36864 ext_insertionTimestamp=2021-09-16T19:18:39.566889Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_24\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566889Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Web.HttpUtility.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36864,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"306b1de856625f7499d783f7b4b79f38\",\"sha256Checksum\":\"125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-811d4e91-e46b-5844-9af9-7c850abf3da3", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Web.HttpUtility.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "125f920e3171fb65150143086ac7b04642f0434a1a2e3962ba921f42ae373dd8", "2021-09-16T19:20:29.168Z", 36864, "code42-exfil-share-datatype", "306b1de856625f7499d783f7b4b79f38", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 58574569231396443 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:27.487Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567858Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.287Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_260\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567858Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T14:29:27.287Z\",\"modifyTimestamp\":\"2021-09-16T14:29:27.487Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2080f524-24c7-5036-968e-df2b85f1b54f", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:27.487Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.170Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.287Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.747Z 804e3b095828 Skyformation - 6719904774936520368 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711747 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.747Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567380Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_156\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.747Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567380Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c9d9285-5d31-550b-a4b2-9fd3d3b8a388", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.747Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.171Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.747Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.996Z 804e3b095828 Skyformation - 3176029036093175203 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711996 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=dotnet-runtime-3.1.2-osx-x64.tar.gz fsize=29915862 msg=Resource [Resource: file :: dotnet-runtime-3.1.2-osx-x64.tar.gz] was deleted by [kathy.kane@c42se.com] proto=gz requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.996Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-runtime-3.1.2-osx-x64.tar.gz ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/gzip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:36.132Z ext_md5Checksum=f83a55de32ce1a89fb5b123257830cba ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=29915862 ext_insertionTimestamp=2021-09-16T19:18:39.567560Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:35.234Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/gzip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_190\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.996Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567560Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-runtime-3.1.2-osx-x64.tar.gz\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":29915862,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f83a55de32ce1a89fb5b123257830cba\",\"sha256Checksum\":\"782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855\",\"createTimestamp\":\"2021-09-16T14:29:35.234Z\",\"modifyTimestamp\":\"2021-09-16T14:29:36.132Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/gzip\",\"mimeTypeByExtension\":\"application/gzip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2b217573-785b-532d-860e-9598234213e8", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.996Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-runtime-3.1.2-osx-x64.tar.gz", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:36.132Z", "application/gzip", "DELETED", "162.222.47.183", "kathy.kane", "782cce0b5c253e85e868dd5d88fdcd85ac3a27817275c1c53017b9162d4a5855", "2021-09-16T19:20:29.167Z", 29915862, "code42-exfil-share-datatype", "f83a55de32ce1a89fb5b123257830cba", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.996Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:35.234Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 3843752372852811386 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Dotnet.sh fsize=202 msg=Resource [Resource: file :: launchTest42Console-Dotnet.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Dotnet.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.005Z ext_md5Checksum=2d2bf0d9382070b7cca29a72b3936e5d ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=202 ext_insertionTimestamp=2021-09-16T19:18:39.568088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.005Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_320\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Dotnet.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":202,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2d2bf0d9382070b7cca29a72b3936e5d\",\"sha256Checksum\":\"4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca\",\"createTimestamp\":\"2021-09-16T14:29:41.005Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.005Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bf1190c9-a884-5c2a-bb2c-2795c5d957d1", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Dotnet.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.005Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "4b1356a5208b496ce87d575fa2878a8a8bd806552b24a74b6680936c37f18bca", "2021-09-16T19:20:29.167Z", 202, "code42-exfil-share-datatype", "2d2bf0d9382070b7cca29a72b3936e5d", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.005Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 2213325285618451753 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.446Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568020Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:31.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_302\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568020Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T14:29:31.221Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.446Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cd8f9d6d-f964-5596-b969-1adc4cbab814", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.446Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.167Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:31.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:34:01.973Z 804e3b095828 Skyformation - 2524988023863085362 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 dproc=file events dtz=default-tenant end=1631824441973 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:34:01.973Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:34:00.215Z ext_md5Checksum=ff960d04995e3896e1e5f9b9280fa4ab ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657598 ext_insertionTimestamp=2021-09-16T20:34:41.194795Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216874595088267_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:34:01.973Z\",\"insertionTimestamp\":\"2021-09-16T20:34:41.194795Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657598,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ff960d04995e3896e1e5f9b9280fa4ab\",\"sha256Checksum\":\"80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:34:00.215Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:34:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cab0f6ad-bf33-5b50-a385-5e8c1204635d", "observed_start_time": "2021-09-16T20:34:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:34:01.973Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:34:00.215Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "80bb4830ca2301c83493d331251f35ef5a3b14762e9f30b26fbc32f79a6a975f", "2021-09-16T20:36:28.548Z", 6657598, "code42-exfil-share-datatype", "ff960d04995e3896e1e5f9b9280fa4ab", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:34:01.973Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.997Z 804e3b095828 Skyformation - 9109378012419032857 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711997 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console-8.2.3.dll fsize=54784 msg=Resource [Resource: file :: Test42Console-8.2.3.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.997Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console-8.2.3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.508Z ext_md5Checksum=d69ac3af560428f6948dc20b997161ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=54784 ext_insertionTimestamp=2021-09-16T19:18:39.567403Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.502Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_162\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.997Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567403Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console-8.2.3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":54784,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d69ac3af560428f6948dc20b997161ee\",\"sha256Checksum\":\"880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43\",\"createTimestamp\":\"2021-09-16T14:29:32.502Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.508Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-71cfb374-ab6b-5662-ab30-1b3fb949df3c", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.997Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Test42Console-8.2.3.dll", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.508Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "880b1131267272f7329b0ce09917e72b4f3a6211f0b021470a23077bd253ac43", "2021-09-16T19:20:29.167Z", 54784, "code42-exfil-share-datatype", "d69ac3af560428f6948dc20b997161ee", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.997Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.502Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.818Z 804e3b095828 Skyformation - 1887769325684873078 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723818 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=mscorlib.dll fsize=57216 msg=Resource [Resource: file :: mscorlib.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.818Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=mscorlib.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T18:07:34Z ext_md5Checksum=9720675697af7ba93cd049a9b7f757ef ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=57216 ext_insertionTimestamp=2021-09-16T19:18:39.567347Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T18:07:34Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_149\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.818Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567347Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"mscorlib.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":57216,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"9720675697af7ba93cd049a9b7f757ef\",\"sha256Checksum\":\"ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c\",\"createTimestamp\":\"2020-01-17T18:07:34Z\",\"modifyTimestamp\":\"2020-01-17T18:07:34Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccf85660-82e2-5086-a281-3206e1b2858e", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.818Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorlib.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T18:07:34Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "ad161034cb1f799334fdad5aade78801932a3cb396afb5059b24075774d8855c", "2021-09-16T19:20:29.167Z", 57216, "code42-exfil-share-datatype", "9720675697af7ba93cd049a9b7f757ef", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.818Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T18:07:34Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.744Z 804e3b095828 Skyformation - 4770681899815013348 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711744 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.744Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566957Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_42\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.744Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566957Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e5d743d0-0232-5b8e-b0cb-1edd0490dd9f", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.744Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.170Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.744Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 4590047523480219385 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.338Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567627Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.318Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_206\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567627Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T14:29:32.318Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.338Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e9f4477-1d64-576f-b3a8-241c6015add6", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.338Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.166Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.318Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:33:01.545Z 804e3b095828 Skyformation - 7073850292788359537 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 dproc=file events dtz=default-tenant end=1631827981545 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:33:01.545Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:33:00.213Z ext_md5Checksum=20d1f8a835b0834eb7b5d80569deed62 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659309 ext_insertionTimestamp=2021-09-16T21:34:24.032240Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025222887264089995_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:33:01.545Z\",\"insertionTimestamp\":\"2021-09-16T21:34:24.032240Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659309,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"20d1f8a835b0834eb7b5d80569deed62\",\"sha256Checksum\":\"582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:33:00.213Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:33:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5369c67b-c8ed-5b7f-81d6-ec60324367ab", "observed_start_time": "2021-09-16T21:33:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:33:01.545Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:33:00.213Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "582584deff5c67445910e8c72a33fc2936f2b61cfe13b88406afdfd0b654f11c", "2021-09-16T21:34:28.994Z", 6659309, "code42-exfil-share-datatype", "20d1f8a835b0834eb7b5d80569deed62", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:33:01.545Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.743Z 804e3b095828 Skyformation - 146293528143524055 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711743 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ValueTuple.dll fsize=5632 msg=Resource [Resource: file :: System.ValueTuple.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.743Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.ValueTuple.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=749df27ac6199cfa7c4b38c78528d3c7 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=5632 ext_insertionTimestamp=2021-09-16T19:18:39.566867Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_18\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.743Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566867Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.ValueTuple.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":5632,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"749df27ac6199cfa7c4b38c78528d3c7\",\"sha256Checksum\":\"b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1abdcd59-cf9e-5f35-bf4b-d2994605bd55", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.743Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ValueTuple.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "b739af4d150bf212ade0f42526367131f0faeef8bbf1722866c434531417b54e", "2021-09-16T19:20:29.169Z", 5632, "code42-exfil-share-datatype", "749df27ac6199cfa7c4b38c78528d3c7", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.743Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.755Z 804e3b095828 Skyformation - 1836552121230087232 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719755 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.755Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.755Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567661Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.736Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_217\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.755Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567661Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T19:15:18.736Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.755Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-28195e6b-c15a-559b-a699-d2f6641591b7", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.755Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.755Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.157Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.755Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.736Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:44:01.388Z 804e3b095828 Skyformation - 1266689014865399645 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 dproc=file events dtz=default-tenant end=1631832241388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:44:01.388Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:44:00.938Z ext_md5Checksum=b40c0a5ea13afe384316a54705f0d1b4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661368 ext_insertionTimestamp=2021-09-16T22:44:58.435091Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229993220372363_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:44:01.388Z\",\"insertionTimestamp\":\"2021-09-16T22:44:58.435091Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661368,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b40c0a5ea13afe384316a54705f0d1b4\",\"sha256Checksum\":\"a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:44:00.938Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:44:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d639f22b-9cff-59ed-9021-3ad255581d0e", "observed_start_time": "2021-09-16T22:44:01Z", "count": 1, "observable_type": "email", "ctr_uuid": "a996d996-7445-4022-a863-c1845dab62f5", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:44:01.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:44:00.938Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a049d88cbb601c5b295b9e33ff0a0c8d1ba9abf5106f653ac39240535264cd5d", "2021-09-16T22:46:30.421Z", 6661368, "code42-exfil-share-datatype", "b40c0a5ea13afe384316a54705f0d1b4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:44:01.388Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.770Z 804e3b095828 Skyformation - 6071486703917102800 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718770 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.770Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:17.840Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567818Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.648Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_259\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.770Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567818Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T19:15:17.648Z\",\"modifyTimestamp\":\"2021-09-16T19:15:17.840Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08118857-1290-5488-af20-857c21d6bdd1", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.770Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:17.840Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.169Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.770Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.648Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.079Z 804e3b095828 Skyformation - 5370534398414402294 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724079 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.XmlDocument.dll fsize=6656 msg=Resource [Resource: file :: System.Xml.XmlDocument.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.079Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlDocument.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=447d8892131a4e11ea225e3b1ffe34b1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567101Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_83\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.079Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567101Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlDocument.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"447d8892131a4e11ea225e3b1ffe34b1\",\"sha256Checksum\":\"a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f80475c4-c69b-58e5-a9ed-33af9056766f", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.079Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlDocument.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "a0035fe94664ef36bfb3d7cb078cfdf45253e6f63874510fb692e2104b030abe", "2021-09-16T19:20:29.171Z", 6656, "code42-exfil-share-datatype", "447d8892131a4e11ea225e3b1ffe34b1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.079Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:56:02.173Z 804e3b095828 Skyformation - 7188922889508140062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 dproc=file events dtz=default-tenant end=1631822162173 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:56:02.173Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:56:00.923Z ext_md5Checksum=fc552e5a9046ea13a5d6106e2b2f9b76 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656496 ext_insertionTimestamp=2021-09-16T19:56:39.322640Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213049188513675_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T19:56:02.173Z\",\"insertionTimestamp\":\"2021-09-16T19:56:39.322640Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656496,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"fc552e5a9046ea13a5d6106e2b2f9b76\",\"sha256Checksum\":\"3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T19:56:00.923Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:56:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5b13a540-ce0b-5885-ac3e-33c0b65dba06", "observed_start_time": "2021-09-16T19:56:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:56:02.173Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:56:00.923Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3bd5ecd2da5fd9f55013fae2fe851a23f03ab8cdc8f1d8fa22fa2a66e02d1cb4", "2021-09-16T19:58:28.306Z", 6656496, "code42-exfil-share-datatype", "fc552e5a9046ea13a5d6106e2b2f9b76", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:56:02.173Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.074Z 804e3b095828 Skyformation - 8477448688941154930 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724074 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=System.Xml.Linq.dll fsize=6144 msg=Resource [Resource: file :: System.Xml.Linq.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.074Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.Linq.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=2b104a782e44ca704503ca9b3c635c9e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6144 ext_insertionTimestamp=2021-09-16T19:18:39.566968Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_47\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.074Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.566968Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.Linq.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6144,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2b104a782e44ca704503ca9b3c635c9e\",\"sha256Checksum\":\"c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e28b082b-fc8d-5d89-9b34-4381e18289c2", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.074Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.Linq.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "c2e5a46de4f3964c350a7f294111becee639329f23471826a595854383935437", "2021-09-16T19:20:29.167Z", 6144, "code42-exfil-share-datatype", "2b104a782e44ca704503ca9b3c635c9e", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.074Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:11:00.794Z 804e3b095828 Skyformation - 2404635122291901530 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 dproc=file events dtz=default-tenant end=1631830260794 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:11:00.794Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:11:00.379Z ext_md5Checksum=951245aef74b1e8b33f4500e499e686a ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660411 ext_insertionTimestamp=2021-09-16T22:12:24.819165Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025226713157203851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:11:00.794Z\",\"insertionTimestamp\":\"2021-09-16T22:12:24.819165Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660411,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"951245aef74b1e8b33f4500e499e686a\",\"sha256Checksum\":\"e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:11:00.379Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:11:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cfed350e-a44b-53ce-b882-dc197c8f62b6", "observed_start_time": "2021-09-16T22:11:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:11:00.794Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:11:00.379Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "e7d8c3204b5dbd3d5ec8f3dc922933507ef16c698e8b713789b366d9a8bb53da", "2021-09-16T22:12:29.328Z", 6660411, "code42-exfil-share-datatype", "951245aef74b1e8b33f4500e499e686a", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:11:00.794Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.746Z 804e3b095828 Skyformation - 8233299408064618554 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711746 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libhostpolicy.dylib fsize=315420 msg=Resource [Resource: file :: libhostpolicy.dylib] was deleted by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.746Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libhostpolicy.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:42:18Z ext_md5Checksum=006913ffaf68f205cc00bd03cc0d3761 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=315420 ext_insertionTimestamp=2021-09-16T19:18:39.567268Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:42:18Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_126\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.746Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567268Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libhostpolicy.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":315420,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"006913ffaf68f205cc00bd03cc0d3761\",\"sha256Checksum\":\"d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c\",\"createTimestamp\":\"2020-01-17T20:42:18Z\",\"modifyTimestamp\":\"2020-01-17T20:42:18Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61262_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61262_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b22fa99e-4961-5cd7-94d9-94743bc7cc5a", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.746Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libhostpolicy.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:42:18Z", "application/octet-stream", "DELETED", "162.222.47.183", "kathy.kane", "d0e481580767bc5cbcd4171ad458e40319fb3252966db9da32de24160d755d3c", "2021-09-16T19:20:29.158Z", 315420, "code42-exfil-share-datatype", "006913ffaf68f205cc00bd03cc0d3761", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.746Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:42:18Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:28:03.165Z 804e3b095828 Skyformation - 4940785117334694295 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 dproc=file events dtz=default-tenant end=1631824083165 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:28:03.165Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:28:00.813Z ext_md5Checksum=d4b2584cc8639725ef1a77f10489af6e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657424 ext_insertionTimestamp=2021-09-16T20:29:14.653406Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025216327775287179_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:28:03.165Z\",\"insertionTimestamp\":\"2021-09-16T20:29:14.653406Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657424,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d4b2584cc8639725ef1a77f10489af6e\",\"sha256Checksum\":\"4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:28:00.813Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:28:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-91bf6af3-6d39-5a96-81d4-c4908b781523", "observed_start_time": "2021-09-16T20:28:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:28:03.165Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:28:00.813Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4fdad18826898384bffb42dd897b7b484e706f5ed4d17ce3dfbf728861f7d0c4", "2021-09-16T20:30:28.534Z", 6657424, "code42-exfil-share-datatype", "d4b2584cc8639725ef1a77f10489af6e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:28:03.165Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 8309860196715459145 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=T42.Automation.Fixture.MachineManager-18.0.13.zip fsize=626077 msg=Resource [Resource: file :: T42.Automation.Fixture.MachineManager-18.0.13.zip] was deleted by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.MachineManager-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.239Z ext_md5Checksum=8824ed0806692fe40c6cc57f282862d1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=626077 ext_insertionTimestamp=2021-09-16T19:18:39.567649Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.212Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_212\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567649Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.MachineManager-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":626077,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8824ed0806692fe40c6cc57f282862d1\",\"sha256Checksum\":\"48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30\",\"createTimestamp\":\"2021-09-16T14:29:32.212Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.239Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0e24644f-f291-5bd2-bc35-86a9b5d0b7a3", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.MachineManager-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.239Z", "application/zip", "DELETED", "162.222.47.183", "kathy.kane", "48c672d99786df7dc7875d5d6ffd974ea83dd765009e56a6421b1c0ea4037d30", "2021-09-16T19:20:29.169Z", 626077, "code42-exfil-share-datatype", "8824ed0806692fe40c6cc57f282862d1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.212Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:55:02.138Z 804e3b095828 Skyformation - 729364201181628912 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 dproc=file events dtz=default-tenant end=1631825702138 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:55:02.138Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:55:00.753Z ext_md5Checksum=63d8ad93f3a8ccf161c446bd00ebe0ee ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6658207 ext_insertionTimestamp=2021-09-16T20:56:21.765014Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025219060481783691_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:55:02.138Z\",\"insertionTimestamp\":\"2021-09-16T20:56:21.765014Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6658207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"63d8ad93f3a8ccf161c446bd00ebe0ee\",\"sha256Checksum\":\"d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:55:00.753Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61345_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61345_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-288534d9-fd19-501f-a62b-9ccd21200713", "observed_start_time": "2021-09-16T20:55:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:55:02.138Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:55:00.753Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d33daf625afb3d59719bc00402a3ed11d11ff23c95d4f13a4f34f15ff2737d8e", "2021-09-16T20:58:28.798Z", 6658207, "code42-exfil-share-datatype", "63d8ad93f3a8ccf161c446bd00ebe0ee", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:55:02.138Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 8983082904017481833 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:28.729Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567951Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:27.871Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_284\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567951Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T14:29:27.871Z\",\"modifyTimestamp\":\"2021-09-16T14:29:28.729Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61269_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61269_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ea36b47c-6754-5ecf-931a-a6132c50aa22", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:28.729Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.170Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:27.871Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:12:03.215Z 804e3b095828 Skyformation - 6886991114765220858 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 dproc=file events dtz=default-tenant end=1631823123215 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:12:03.215Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:12:00.952Z ext_md5Checksum=326e1e96ac5b97f92334ae3ed0af00a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656960 ext_insertionTimestamp=2021-09-16T20:12:57.237021Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025214688691615627_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:12:03.215Z\",\"insertionTimestamp\":\"2021-09-16T20:12:57.237021Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656960,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"326e1e96ac5b97f92334ae3ed0af00a9\",\"sha256Checksum\":\"7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:12:00.952Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:12:03Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61340_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61340_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4187d125-6fed-5e14-872a-e781ac9c07c7", "observed_start_time": "2021-09-16T20:12:03Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:12:03.215Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:12:00.952Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "7d2ea18c740a6e6b62191298aa5396bf3db048a6721b69c432e2673c6b4196bc", "2021-09-16T20:14:29.101Z", 6656960, "code42-exfil-share-datatype", "326e1e96ac5b97f92334ae3ed0af00a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:12:03.215Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 3519140269928418882 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-code42-visualization-service-rest-2.1.0.jar fsize=7005905 msg=Resource [Resource: file :: test42-fixture-code42-visualization-service-rest-2.1.0.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-visualization-service-rest-2.1.0.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.847Z ext_md5Checksum=5f7aa4fdb5ef4c7a5a5124f614865982 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7005905 ext_insertionTimestamp=2021-09-16T19:18:39.567807Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.631Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_254\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567807Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-visualization-service-rest-2.1.0.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7005905,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5f7aa4fdb5ef4c7a5a5124f614865982\",\"sha256Checksum\":\"213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240\",\"createTimestamp\":\"2021-09-16T14:29:30.631Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.847Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c15684c1-40f1-5e8d-a549-ec971abac766", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-visualization-service-rest-2.1.0.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.847Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "213935193f6bae4a96721db41de632278aebc7af78f1b5ecf1fc91f8961d8240", "2021-09-16T19:20:29.168Z", 7005905, "code42-exfil-share-datatype", "5f7aa4fdb5ef4c7a5a5124f614865982", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.631Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:39:02.995Z 804e3b095828 Skyformation - 2457476870350379974 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 dproc=file events dtz=default-tenant end=1631824742995 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:39:02.995Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:39:00.749Z ext_md5Checksum=c777bda26af371c784639bf97c796a30 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657743 ext_insertionTimestamp=2021-09-16T20:40:03.955501Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025217420911572875_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:39:02.995Z\",\"insertionTimestamp\":\"2021-09-16T20:40:03.955501Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657743,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c777bda26af371c784639bf97c796a30\",\"sha256Checksum\":\"2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:39:00.749Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:39:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61342_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61342_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8fd13adc-a57f-52b3-afec-f4d6286a241e", "observed_start_time": "2021-09-16T20:39:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:39:02.995Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:39:00.749Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2bc2063816a6da64c60fce79610d73b9a8419571554b4fec6ae4d3b0d0d7be9a", "2021-09-16T20:40:29.204Z", 6657743, "code42-exfil-share-datatype", "c777bda26af371c784639bf97c796a30", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:39:02.995Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.898Z 804e3b095828 Skyformation - 4866351305492022215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715898 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-desktop-18.0.194-develop-194.jar fsize=26151827 msg=Resource [Resource: file :: test42-fixture-desktop-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.898Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-desktop-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:16.117Z ext_md5Checksum=4686b7fd21e7fb7459728108e94bdda5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26151827 ext_insertionTimestamp=2021-09-16T19:18:39.567962Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.422Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_289\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.898Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567962Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-desktop-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26151827,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"4686b7fd21e7fb7459728108e94bdda5\",\"sha256Checksum\":\"67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455\",\"createTimestamp\":\"2021-09-16T19:15:15.422Z\",\"modifyTimestamp\":\"2021-09-16T19:15:16.117Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f72d64ad-9c47-5fe9-abad-e1411db140d1", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.898Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-desktop-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:16.117Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "67e31caef7fc784caa1946c3018f2dc37612d44d07d0494ca7151382e1f52455", "2021-09-16T19:20:29.168Z", 26151827, "code42-exfil-share-datatype", "4686b7fd21e7fb7459728108e94bdda5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.898Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.422Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:17:02.470Z 804e3b095828 Skyformation - 3355602177351257247 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 dproc=file events dtz=default-tenant end=1631823422470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:17:02.470Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:17:00.510Z ext_md5Checksum=79e223064e50c50dc63e89e30862e8f4 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657105 ext_insertionTimestamp=2021-09-16T20:18:24.025397Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215235108763531_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:17:02.470Z\",\"insertionTimestamp\":\"2021-09-16T20:18:24.025397Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"79e223064e50c50dc63e89e30862e8f4\",\"sha256Checksum\":\"5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:17:00.510Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:17:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6d5a20a2-f50e-5f19-a010-b1be1e470e1d", "observed_start_time": "2021-09-16T20:17:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:17:02.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:17:00.510Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5fb8c073667f954a4bfc67074398de2a9d921842738b78d801f387865b87f7e3", "2021-09-16T20:20:29.219Z", 6657105, "code42-exfil-share-datatype", "79e223064e50c50dc63e89e30862e8f4", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:17:02.470Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.801Z 804e3b095828 Skyformation - 621632533739725350 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723801 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=libclrjit.dylib fsize=2741416 msg=Resource [Resource: file :: libclrjit.dylib] was created by [kathy.kane@c42se.com] proto=dylib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.801Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=libclrjit.dylib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T02:29:02Z ext_md5Checksum=650f69041d44556a5f3bdbcace8b3dea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2741416 ext_insertionTimestamp=2021-09-16T19:18:39.567212Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T02:29:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-mach-o ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_113\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.801Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567212Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"libclrjit.dylib\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":2741416,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"650f69041d44556a5f3bdbcace8b3dea\",\"sha256Checksum\":\"8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959\",\"createTimestamp\":\"2020-01-17T02:29:02Z\",\"modifyTimestamp\":\"2020-01-17T02:29:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-mach-o\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4ae4ea8f-75b0-5f70-bab5-178877150abf", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.801Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libclrjit.dylib", "KATHYK-OSX (2)", "localhost", "2020-01-17T02:29:02Z", "application/octet-stream", "CREATED", "162.222.47.183", "kathy.kane", "8da5e2ad4f7e2c8c3fa0ce293dcac288ac8ba3227adfc16efedfffb6c10cb959", "2021-09-16T19:20:29.158Z", 2741416, "code42-exfil-share-datatype", "650f69041d44556a5f3bdbcace8b3dea", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.801Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T02:29:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:49:02.292Z 804e3b095828 Skyformation - 1350603041899679478 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 dproc=file events dtz=default-tenant end=1631832542292 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:49:02.292Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:49:00.527Z ext_md5Checksum=e36e7a007a335fab0b5c84fd64dfdccc ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661513 ext_insertionTimestamp=2021-09-16T22:50:23.782238Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025230540090505099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:49:02.292Z\",\"insertionTimestamp\":\"2021-09-16T22:50:23.782238Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661513,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e36e7a007a335fab0b5c84fd64dfdccc\",\"sha256Checksum\":\"5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:49:00.527Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:49:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61444_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61444_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-af4fbb0a-af39-5538-9106-9b2db2646476", "observed_start_time": "2021-09-16T22:49:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "e6bed5f8-b4eb-48c3-a7d6-93dcd222e271", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:49:02.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:49:00.527Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "5a056d54e959323173f285c4d160607292944a3a9b14e187255a1e0fb83224ca", "2021-09-16T22:52:31.870Z", 6661513, "code42-exfil-share-datatype", "e36e7a007a335fab0b5c84fd64dfdccc", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:49:02.292Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.761Z 804e3b095828 Skyformation - 2980995002300610810 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719761 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip fsize=652056 msg=Resource [Resource: file :: T42.Automation.Fixture.FileSystemWindows-18.0.13.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/dotnet/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.761Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=T42.Automation.Fixture.FileSystemWindows-18.0.13.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.832Z ext_md5Checksum=23ba5e96a691edc4773fec0f88bf952f ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=652056 ext_insertionTimestamp=2021-09-16T19:18:39.567638Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.812Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_211\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.761Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567638Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/dotnet/\",\"fileName\":\"T42.Automation.Fixture.FileSystemWindows-18.0.13.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":652056,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"23ba5e96a691edc4773fec0f88bf952f\",\"sha256Checksum\":\"5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5\",\"createTimestamp\":\"2021-09-16T19:15:18.812Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.832Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c978eb4a-4e5b-5e42-870b-1d5172367949", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.761Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "T42.Automation.Fixture.FileSystemWindows-18.0.13.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.832Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "5f3a76c516a22ec5629616f501ab860dfb47ab903b7986fe056f13683dfefef5", "2021-09-16T19:20:29.168Z", 652056, "code42-exfil-share-datatype", "23ba5e96a691edc4773fec0f88bf952f", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/dotnet/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.761Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.812Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.897Z 804e3b095828 Skyformation - 5723685368446080373 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715897 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar fsize=41227 msg=Resource [Resource: file :: test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.897Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.419Z ext_md5Checksum=e98fb5f87aed64e2d32116bc565d2dec ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=41227 ext_insertionTimestamp=2021-09-16T19:18:39.567796Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:15.414Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_253\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.897Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567796Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":41227,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e98fb5f87aed64e2d32116bc565d2dec\",\"sha256Checksum\":\"95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806\",\"createTimestamp\":\"2021-09-16T19:15:15.414Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.419Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61264_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61264_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4386ebf1-b7bd-5cc7-9d76-25107a9a2069", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.897Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-code42-server-web-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.419Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "95f6b43dab4c42d45687e528f0be93637e1b36de1bdcff9892171245d4fae806", "2021-09-16T19:20:29.157Z", 41227, "code42-exfil-share-datatype", "e98fb5f87aed64e2d32116bc565d2dec", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.897Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:15.414Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.821Z 804e3b095828 Skyformation - 1605658926549055429 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723821 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=netstandard.dll fsize=105472 msg=Resource [Resource: file :: netstandard.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.821Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=netstandard.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=3d47f885a18937d6fd0fde935538560b ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105472 ext_insertionTimestamp=2021-09-16T19:18:39.567392Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_161\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.821Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567392Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"netstandard.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":105472,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3d47f885a18937d6fd0fde935538560b\",\"sha256Checksum\":\"22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2481047e-5ae4-543b-9028-8e19e3e05566", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.821Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "netstandard.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "22923def96c845fb34a2ffbda590cff283ed4ec024a78c39cd72f5bf09c5bad8", "2021-09-16T19:20:29.170Z", 105472, "code42-exfil-share-datatype", "3d47f885a18937d6fd0fde935538560b", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.821Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:01:01.023Z 804e3b095828 Skyformation - 2456916627922492488 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 dproc=file events dtz=default-tenant end=1631822461023 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:01:01.023Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:01:00.608Z ext_md5Checksum=2ee6250bd1e7bd8600f0961bd3324d4e ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656641 ext_insertionTimestamp=2021-09-16T20:02:04.344088Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025213595756656523_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:01:01.023Z\",\"insertionTimestamp\":\"2021-09-16T20:02:04.344088Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6656641,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2ee6250bd1e7bd8600f0961bd3324d4e\",\"sha256Checksum\":\"1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:01:00.608Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:01:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61339_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61339_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fc4db0ba-18cc-5107-a914-084f635c52af", "observed_start_time": "2021-09-16T20:01:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:01:01.023Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T20:01:00.608Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ebe45d6d617c8542aed1ce49d01d9e38638e65f238fc2486e43409a6e195a54", "2021-09-16T20:04:28.310Z", 6656641, "code42-exfil-share-datatype", "2ee6250bd1e7bd8600f0961bd3324d4e", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:01:01.023Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.772Z 804e3b095828 Skyformation - 8294759705628931815 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718772 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.772Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.095Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.568008Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:17.884Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_301\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.772Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568008Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T19:15:17.884Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.095Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f63d3086-bd17-55ab-81cc-54fc91e7d10b", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.772Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.095Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.172Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.772Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:17.884Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:44:00.556Z 804e3b095828 Skyformation - 8674733544075329242 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 dproc=file events dtz=default-tenant end=1631828640556 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:44:00.556Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:44:00.149Z ext_md5Checksum=32ef24cfa95d52085eea12935c55f475 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659628 ext_insertionTimestamp=2021-09-16T21:45:15.841469Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223980199049099_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:44:00.556Z\",\"insertionTimestamp\":\"2021-09-16T21:45:15.841469Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659628,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"32ef24cfa95d52085eea12935c55f475\",\"sha256Checksum\":\"a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:44:00.149Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:44:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-23911c2c-7e26-51bc-9fea-5f05b4c871cf", "observed_start_time": "2021-09-16T21:44:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:44:00.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:44:00.149Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a75f8b71a57d31106da3c7c053f8c198202fda1426002fbc2fa3055906061f6a", "2021-09-16T21:46:29.997Z", 6659628, "code42-exfil-share-datatype", "32ef24cfa95d52085eea12935c55f475", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:44:00.556Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:24.085Z 804e3b095828 Skyformation - 8692612087128247895 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819724085 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=WindowsBase.dll fsize=6656 msg=Resource [Resource: file :: WindowsBase.dll] was created by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:24.085Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=WindowsBase.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=d8a0e4361c61034952e56a4eaac26925 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6656 ext_insertionTimestamp=2021-09-16T19:18:39.567190Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_107\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:24.085Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567190Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"WindowsBase.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6656,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d8a0e4361c61034952e56a4eaac26925\",\"sha256Checksum\":\"2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:24Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-08f2fe68-910f-5dc7-94c4-c7d30afc8519", "observed_start_time": "2021-09-16T19:15:24Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:24.085Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsBase.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "CREATED", "162.222.47.183", "kathy.kane", "2c63c82a76384ba298bdbff0b3933f70e73139308d93044e7a5020b6ef3a1597", "2021-09-16T19:20:29.170Z", 6656, "code42-exfil-share-datatype", "d8a0e4361c61034952e56a4eaac26925", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:24.085Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-75e7c90f-681b-5167-ab1f-93253718bf60", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "email", "ctr_uuid": "9bbedf60-14c7-4119-88a5-0980db51cd12", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.994Z 804e3b095828 Skyformation - 5692899194704443110 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711994 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=launchTest42Console-Java.sh fsize=165 msg=Resource [Resource: file :: launchTest42Console-Java.sh] was deleted by [kathy.kane@c42se.com] outcome=Executable proto=sh requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Script ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Script ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.994Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=launchTest42Console-Java.sh ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-sh ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:41.020Z ext_md5Checksum=3b387d2bf8ce6d3b92a5f1db751813f9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=165 ext_insertionTimestamp=2021-09-16T19:18:39.568109Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:41.019Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_324\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.994Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568109Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"launchTest42Console-Java.sh\",\"fileType\":\"FILE\",\"fileCategory\":\"Script\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Script\",\"fileSize\":165,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3b387d2bf8ce6d3b92a5f1db751813f9\",\"sha256Checksum\":\"ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361\",\"createTimestamp\":\"2021-09-16T14:29:41.019Z\",\"modifyTimestamp\":\"2021-09-16T14:29:41.020Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/x-sh\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-45612c08-8262-5116-a9f8-17732756f8ff", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.994Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Script", "Endpoint", "launchTest42Console-Java.sh", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:41.020Z", "application/x-sh", "DELETED", "162.222.47.183", "kathy.kane", "ba192f1176d982808cc8b28de9a532b3382ffa0a9cfd621e885275ac71420361", "2021-09-16T19:20:29.168Z", 165, "code42-exfil-share-datatype", "3b387d2bf8ce6d3b92a5f1db751813f9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Script", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.994Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:41.019Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:28:00.876Z 804e3b095828 Skyformation - 8042611856875895468 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 dproc=file events dtz=default-tenant end=1631831280876 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:28:00.876Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:28:00.304Z ext_md5Checksum=453ec6ef064fa5bc0c6f50ee2d5204e5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6660904 ext_insertionTimestamp=2021-09-16T22:28:42.643367Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025228352995850123_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:28:00.876Z\",\"insertionTimestamp\":\"2021-09-16T22:28:42.643367Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6660904,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"453ec6ef064fa5bc0c6f50ee2d5204e5\",\"sha256Checksum\":\"853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:28:00.304Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:28:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61426_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61426_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5a4f38a7-721b-5a46-af92-9b379e22e83f", "observed_start_time": "2021-09-16T22:28:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "4b7ab028-acaa-4fb1-b37e-526ecd458912", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:28:00.876Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:28:00.304Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "853ae6c7ba042a346d68a35f9f27bd1015b58e54b0c8fed294e58952f8aaa108", "2021-09-16T22:30:29.500Z", 6660904, "code42-exfil-share-datatype", "453ec6ef064fa5bc0c6f50ee2d5204e5", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:28:00.876Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a65e4551-47d7-5f70-a259-006cd2ea2894", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "email", "ctr_uuid": "f0a0ad4f-0f73-4ac4-96d8-488f86fa742f", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:14.828Z 804e3b095828 Skyformation - 4988657070909514900 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819714828 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=dotnet-Test42Runner-8.2.3.zip fsize=468043 msg=Resource [Resource: file :: dotnet-Test42Runner-8.2.3.zip] was created by [kathy.kane@c42se.com] outcome=Archive proto=zip requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Archive ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:14.828Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=dotnet-Test42Runner-8.2.3.zip ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/zip ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:13.679Z ext_md5Checksum=2fa8d4d1035f2e127169e5e649d52ed1 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=468043 ext_insertionTimestamp=2021-09-16T19:18:39.567549Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:13.658Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_189\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:14.828Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567549Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"dotnet-Test42Runner-8.2.3.zip\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Archive\",\"fileSize\":468043,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"2fa8d4d1035f2e127169e5e649d52ed1\",\"sha256Checksum\":\"7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4\",\"createTimestamp\":\"2021-09-16T19:15:13.658Z\",\"modifyTimestamp\":\"2021-09-16T19:15:13.679Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/zip\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:14Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-747337c7-1290-5526-abdf-d50e6103d1ac", "observed_start_time": "2021-09-16T19:15:14Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:14.828Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Archive", "Endpoint", "dotnet-Test42Runner-8.2.3.zip", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:13.679Z", "application/zip", "CREATED", "162.222.47.183", "kathy.kane", "7d63f18a3a71bf64121d6be1ea257cecfbf9eb1d176d357bf929d8d1c112e8e4", "2021-09-16T19:20:29.172Z", 468043, "code42-exfil-share-datatype", "2fa8d4d1035f2e127169e5e649d52ed1", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Archive", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:14.828Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:13.658Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.775Z 804e3b095828 Skyformation - 235457846511697461 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718775 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar fsize=11047889 msg=Resource [Resource: file :: test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.775Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.687Z ext_md5Checksum=c32214157ad2def6a511701ce4e0a562 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11047889 ext_insertionTimestamp=2021-09-16T19:18:39.567939Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.378Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_283\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.775Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567939Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11047889,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"c32214157ad2def6a511701ce4e0a562\",\"sha256Checksum\":\"364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b\",\"createTimestamp\":\"2021-09-16T19:15:18.378Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.687Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0d18a5dd-0e2a-5b84-b619-3d537c56b3d0", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.775Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-server-rest-9.6.1-release-cloud-9.6.1-6.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.687Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "364865e38220efaf5c4b41684cc2ebd2a0325d2255a30581a787edc0a055087b", "2021-09-16T19:20:29.172Z", 11047889, "code42-exfil-share-datatype", "c32214157ad2def6a511701ce4e0a562", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.775Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.378Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:39:00.951Z 804e3b095828 Skyformation - 3085221760796449695 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 dproc=file events dtz=default-tenant end=1631828340951 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:39:00.951Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:39:00.700Z ext_md5Checksum=5a797dc0a97885951ef7fd87b6f564fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659483 ext_insertionTimestamp=2021-09-16T21:39:50.425897Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025223433530242955_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:39:00.951Z\",\"insertionTimestamp\":\"2021-09-16T21:39:50.425897Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659483,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"5a797dc0a97885951ef7fd87b6f564fe\",\"sha256Checksum\":\"a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:39:00.700Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61421_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61421_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-de89ae13-1740-5d1b-89bb-f85121f0cd75", "observed_start_time": "2021-09-16T21:39:00Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:39:00.951Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:39:00.700Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "a1f392d1aff4001e0cf29fb50c2cdc8d90b16f00c9f901fff4f1e9cbab8ffd4c", "2021-09-16T21:40:29.785Z", 6659483, "code42-exfil-share-datatype", "5a797dc0a97885951ef7fd87b6f564fe", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:39:00.951Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:19.769Z 804e3b095828 Skyformation - 6627546699421659495 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819719769 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-console-8.2.3.jar fsize=2573374 msg=Resource [Resource: file :: test42-console-8.2.3.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:19.769Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-console-8.2.3.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:19.052Z ext_md5Checksum=aa7ef1099a4cd7eb288430e0f8621b0c ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2573374 ext_insertionTimestamp=2021-09-16T19:18:39.568143Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.979Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_331\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:19.769Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568143Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"test42-console-8.2.3.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2573374,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"aa7ef1099a4cd7eb288430e0f8621b0c\",\"sha256Checksum\":\"964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee\",\"createTimestamp\":\"2021-09-16T19:15:18.979Z\",\"modifyTimestamp\":\"2021-09-16T19:15:19.052Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3d31370-5f9b-5151-b1b4-1106238db7e9", "observed_start_time": "2021-09-16T19:15:19Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:19.769Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-console-8.2.3.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:19.052Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "964e6a1464afbf45620867bfde228ce4baa60976fe2c076e6fe651d71e25eeee", "2021-09-16T19:20:29.167Z", 2573374, "code42-exfil-share-datatype", "aa7ef1099a4cd7eb288430e0f8621b0c", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:19.769Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.979Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:15.893Z 804e3b095828 Skyformation - 4881423058587582298 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819715893 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-common-18.0.194-develop-194.jar fsize=6080452 msg=Resource [Resource: file :: test42-fixture-common-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:15.893Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-common-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:15.133Z ext_md5Checksum=08215631827e4179e243d27b5f502f90 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6080452 ext_insertionTimestamp=2021-09-16T19:18:39.567870Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:14.961Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_265\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:15.893Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567870Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-common-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6080452,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"08215631827e4179e243d27b5f502f90\",\"sha256Checksum\":\"5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1\",\"createTimestamp\":\"2021-09-16T19:15:14.961Z\",\"modifyTimestamp\":\"2021-09-16T19:15:15.133Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:15Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-fcfc53ce-2a59-58e6-8c35-da34b1db1be7", "observed_start_time": "2021-09-16T19:15:15Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:15.893Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-common-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:15.133Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "5227899f39f2f4156cc3a4cd422da0a66ec44b931138407125eb3d4a623f3bd1", "2021-09-16T19:20:29.169Z", 6080452, "code42-exfil-share-datatype", "08215631827e4179e243d27b5f502f90", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:15.893Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:14.961Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:18.773Z 804e3b095828 Skyformation - 2796256343079738721 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819718773 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=test42-fixture-rest-18.0.194-develop-194.jar fsize=6976661 msg=Resource [Resource: file :: test42-fixture-rest-18.0.194-develop-194.jar] was created by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:18.773Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-rest-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T19:15:18.342Z ext_md5Checksum=f20102257ab369adb8dd6cb6c50014fe ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6976661 ext_insertionTimestamp=2021-09-16T19:18:39.568031Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T19:15:18.148Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_307\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:18.773Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568031Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-rest-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6976661,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"f20102257ab369adb8dd6cb6c50014fe\",\"sha256Checksum\":\"755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf\",\"createTimestamp\":\"2021-09-16T19:15:18.148Z\",\"modifyTimestamp\":\"2021-09-16T19:15:18.342Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-82473b8d-7e74-50ea-9744-5b08a75c0f86", "observed_start_time": "2021-09-16T19:15:18Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:18.773Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-rest-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T19:15:18.342Z", "application/java-archive", "CREATED", "162.222.47.183", "kathy.kane", "755487763e19e3addfcfbdabeba7d17fdaf7852aa2ba0068ccb65679d4a933cf", "2021-09-16T19:20:29.159Z", 6976661, "code42-exfil-share-datatype", "f20102257ab369adb8dd6cb6c50014fe", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:18.773Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T19:15:18.148Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 1490067587399469079 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-file-system-18.0.194-develop-194.jar fsize=7650176 msg=Resource [Resource: file :: test42-fixture-file-system-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-file-system-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:31.147Z ext_md5Checksum=d2670e017c2aee21fbfa183360468e94 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7650176 ext_insertionTimestamp=2021-09-16T19:18:39.567997Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.911Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_296\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567997Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-file-system-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7650176,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"d2670e017c2aee21fbfa183360468e94\",\"sha256Checksum\":\"f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64\",\"createTimestamp\":\"2021-09-16T14:29:30.911Z\",\"modifyTimestamp\":\"2021-09-16T14:29:31.147Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61265_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61265_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-600d5056-d56f-5d29-8735-28d002a0177c", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-file-system-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:31.147Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "f92e48e7650ab63a3238a80a6603c13d28db5eb61f525d6c53a608777c338e64", "2021-09-16T19:20:29.157Z", 7650176, "code42-exfil-share-datatype", "d2670e017c2aee21fbfa183360468e94", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.911Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:50:02.277Z 804e3b095828 Skyformation - 5602684442482280736 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 dproc=file events dtz=default-tenant end=1631829002277 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:50:02.277Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:50:00.880Z ext_md5Checksum=b817fe0a78cbc9235abc6adce11beb39 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659802 ext_insertionTimestamp=2021-09-16T21:51:03.096935Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025224527002072971_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:50:02.277Z\",\"insertionTimestamp\":\"2021-09-16T21:51:03.096935Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659802,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"b817fe0a78cbc9235abc6adce11beb39\",\"sha256Checksum\":\"6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:50:00.880Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:50:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61423_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61423_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8c564a5c-edc3-541c-989b-c9b6584537a0", "observed_start_time": "2021-09-16T21:50:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:50:02.277Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:50:00.880Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "6deab565c752f5a01ed4fa56b8942b077e85defd0b4e1f2de84591e1b49c9e1c", "2021-09-16T21:52:29.135Z", 6659802, "code42-exfil-share-datatype", "b817fe0a78cbc9235abc6adce11beb39", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:50:02.277Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.993Z 804e3b095828 Skyformation - 8176639218918911133 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711993 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Test42Console.runtimeconfig.json fsize=105 msg=Resource [Resource: file :: Test42Console.runtimeconfig.json] was deleted by [kathy.kane@c42se.com] proto=json requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Uncategorized ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.993Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Test42Console.runtimeconfig.json ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/json ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:32.653Z ext_md5Checksum=ba8f99b0518b43d8e5cdf3ea1356c600 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=105 ext_insertionTimestamp=2021-09-16T19:18:39.567470Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:32.651Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_174\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.993Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567470Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/\",\"fileName\":\"Test42Console.runtimeconfig.json\",\"fileType\":\"FILE\",\"fileCategory\":\"Uncategorized\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":105,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"ba8f99b0518b43d8e5cdf3ea1356c600\",\"sha256Checksum\":\"8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86\",\"createTimestamp\":\"2021-09-16T14:29:32.651Z\",\"modifyTimestamp\":\"2021-09-16T14:29:32.653Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/json\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c0e83a93-2af4-5d37-babd-10b1452f228d", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.993Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Test42Console.runtimeconfig.json", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:32.653Z", "application/json", "DELETED", "162.222.47.183", "kathy.kane", "8520853a642bf7d3cb62637b385a69cd1e36f2de622bc2143756135673e9cc86", "2021-09-16T19:20:29.168Z", 105, "code42-exfil-share-datatype", "ba8f99b0518b43d8e5cdf3ea1356c600", 57848, "false", "TRUE", "/Users/kathy.kane/test42/", "Uncategorized", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.993Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:32.651Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.008Z 804e3b095828 Skyformation - 2619095453314890827 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712008 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-string-18.0.194-develop-194.jar fsize=14758 msg=Resource [Resource: file :: test42-fixture-string-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.008Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-string-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:26.375Z ext_md5Checksum=0c1b42a22fa41253e0a883a3c2147fa9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14758 ext_insertionTimestamp=2021-09-16T19:18:39.568043Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:26.371Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_308\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.008Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.568043Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-string-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14758,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0c1b42a22fa41253e0a883a3c2147fa9\",\"sha256Checksum\":\"a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c\",\"createTimestamp\":\"2021-09-16T14:29:26.371Z\",\"modifyTimestamp\":\"2021-09-16T14:29:26.375Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d692ff50-8a73-5b7c-887a-7ac69931a5ce", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.008Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-string-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:26.375Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "a2c750d3a3e15e42ccb2fb1e391f56838b522419da3000a31f50aff891e3c22c", "2021-09-16T19:20:29.168Z", 14758, "code42-exfil-share-datatype", "0c1b42a22fa41253e0a883a3c2147fa9", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.008Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:26.371Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.006Z 804e3b095828 Skyformation - 465235528329935198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712006 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar fsize=7657197 msg=Resource [Resource: file :: test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.006Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:30.563Z ext_md5Checksum=61898b6da7ebbf3a13be7c76ae49e5f5 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7657197 ext_insertionTimestamp=2021-09-16T19:18:39.567718Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:30.281Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_230\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.006Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567718Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7657197,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"61898b6da7ebbf3a13be7c76ae49e5f5\",\"sha256Checksum\":\"76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43\",\"createTimestamp\":\"2021-09-16T14:29:30.281Z\",\"modifyTimestamp\":\"2021-09-16T14:29:30.563Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61266_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61266_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4e7fd42a-7da6-52ff-a103-0ef33800ab52", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.006Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-cloud-sync-provider-18.0.194-develop-194.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:30.563Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "76838130d4d922694ac046f54b1a6cbe56b405df7e04cb402c8eb22623d4cb43", "2021-09-16T19:20:29.168Z", 7657197, "code42-exfil-share-datatype", "61898b6da7ebbf3a13be7c76ae49e5f5", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.006Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:30.281Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:23.820Z 804e3b095828 Skyformation - 3517425595454456489 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-created|resource-created|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819723820 fileHash=File filePath=N/A fileType=file flexString1=CREATED flexString1Label=application-action fname=nethost.h fsize=2709 msg=Resource [Resource: file :: nethost.h] was created by [kathy.kane@c42se.com] proto=h requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=SourceCode ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=SourceCode ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:23.820Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=nethost.h ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/x-chdr ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:38:56Z ext_md5Checksum=43b6f3115aa52ad9540bdbe756e1a9b3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2709 ext_insertionTimestamp=2021-09-16T19:18:39.567369Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=CREATED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:38:56Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_155\",\"eventType\":\"CREATED\",\"eventTimestamp\":\"2021-09-16T19:15:23.820Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567369Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"nethost.h\",\"fileType\":\"FILE\",\"fileCategory\":\"SourceCode\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"SourceCode\",\"fileSize\":2709,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"43b6f3115aa52ad9540bdbe756e1a9b3\",\"sha256Checksum\":\"c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f\",\"createTimestamp\":\"2020-01-17T20:38:56Z\",\"modifyTimestamp\":\"2020-01-17T20:38:56Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/x-chdr\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61268_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61268_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e830775-5347-525c-aedd-78a6ed9a978d", "observed_start_time": "2021-09-16T19:15:23Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:23.820Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "SourceCode", "Endpoint", "nethost.h", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:38:56Z", "text/x-chdr", "CREATED", "162.222.47.183", "kathy.kane", "c584639a5ee3170e0bf90f83c2b683a4c44d2b94af724ef20fbaddc7eddb585f", "2021-09-16T19:20:29.167Z", 2709, "code42-exfil-share-datatype", "43b6f3115aa52ad9540bdbe756e1a9b3", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "SourceCode", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:23.820Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:38:56Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:12.007Z 804e3b095828 Skyformation - 4664902644332636172 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819712007 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar fsize=14514207 msg=Resource [Resource: file :: test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar] was deleted by [kathy.kane@c42se.com] proto=jar requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/fixtures/java/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:12.007Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/java-archive ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T14:29:29.203Z ext_md5Checksum=34dd2200b09a5c51bbd84acdeb98b606 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Archive ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14514207 ext_insertionTimestamp=2021-09-16T19:18:39.567904Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-16T14:29:28.792Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/zip ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_272\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:12.007Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567904Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/fixtures/java/\",\"fileName\":\"test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14514207,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"34dd2200b09a5c51bbd84acdeb98b606\",\"sha256Checksum\":\"13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e\",\"createTimestamp\":\"2021-09-16T14:29:28.792Z\",\"modifyTimestamp\":\"2021-09-16T14:29:29.203Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/zip\",\"mimeTypeByExtension\":\"application/java-archive\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:12Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61263_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61263_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1a735af4-fe4a-5bf6-8aa8-32b39f6cb717", "observed_start_time": "2021-09-16T19:15:12Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:12.007Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "test42-fixture-crashplan-client-rest-8.8.0-develop-178.jar", "KATHYK-OSX (2)", "localhost", "2021-09-16T14:29:29.203Z", "application/java-archive", "DELETED", "162.222.47.183", "kathy.kane", "13bcc7db4dff6985d2c2540c00ac949dc293cb82ea6f4ce770ed1bb03fd5e06e", "2021-09-16T19:20:29.158Z", 14514207, "code42-exfil-share-datatype", "34dd2200b09a5c51bbd84acdeb98b606", 57848, "false", "TRUE", "/Users/kathy.kane/test42/fixtures/java/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:12.007Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2021-09-16T14:29:28.792Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T20:23:01.992Z 804e3b095828 Skyformation - 134014797071545939 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 dproc=file events dtz=default-tenant end=1631823781992 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T20:23:01.992Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T20:23:00.252Z ext_md5Checksum=e95fbbc4261d5827634041a0f12107a0 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6657279 ext_insertionTimestamp=2021-09-16T20:23:47.534223Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=172.20.64.15 ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025215781374916491_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T20:23:01.992Z\",\"insertionTimestamp\":\"2021-09-16T20:23:47.534223Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6657279,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"e95fbbc4261d5827634041a0f12107a0\",\"sha256Checksum\":\"2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T20:23:00.252Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"172.20.64.15\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T20:23:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61341_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61341_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-36285ceb-2bb5-537c-aee4-140da8e61c9d", "observed_start_time": "2021-09-16T20:23:01Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T20:23:01.992Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "172.20.64.15", "2021-09-16T20:23:00.252Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "2d40e6c1cfe21289c410290b645dd9dce313ef9700f40e13b8200089dd38ca09", "2021-09-16T20:24:29.211Z", 6657279, "code42-exfil-share-datatype", "e95fbbc4261d5827634041a0f12107a0", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T20:23:01.992Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:39:00.979Z 804e3b095828 Skyformation - 2580885261986268761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 dproc=file events dtz=default-tenant end=1631831940979 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:39:00.979Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:39:00.479Z ext_md5Checksum=693b07e79c0ed75e36f7a60f836ef1a9 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661223 ext_insertionTimestamp=2021-09-16T22:39:31.810355Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025229446467680139_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:39:00.979Z\",\"insertionTimestamp\":\"2021-09-16T22:39:31.810355Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661223,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"693b07e79c0ed75e36f7a60f836ef1a9\",\"sha256Checksum\":\"d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:39:00.479Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:39:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61427_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61427_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bbe544a7-4712-503d-8e2b-e850af9a8a35", "observed_start_time": "2021-09-16T22:39:00Z", "count": 1, "observable_type": "email", "ctr_uuid": "fadc76ee-cf2d-4cbd-b0ed-7a1ca4a07aec", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:39:00.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:39:00.479Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "d873aa387b48051ab4c3cf26049b9fa419f704660bbdc4ccc2dd73fb1e2d6ff0", "2021-09-16T22:40:29.619Z", 6661223, "code42-exfil-share-datatype", "693b07e79c0ed75e36f7a60f836ef1a9", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:39:00.979Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T19:15:11.745Z 804e3b095828 Skyformation - 3347113359677108016 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 dproc=file events dtz=default-tenant duid=username duser=kathy.kane end=1631819711745 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Xml.XmlSerializer.dll fsize=8704 msg=Resource [Resource: file :: System.Xml.XmlSerializer.dll] was deleted by [kathy.kane@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T19:15:11.745Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=System.Xml.XmlSerializer.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-01-17T20:41:02Z ext_md5Checksum=0cc4665479b5e519b2597b93577de1aa ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Executable ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=8704 ext_insertionTimestamp=2021-09-16T19:18:39.567112Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=DELETED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-01-17T20:41:02Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025209222339098507_84\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T19:15:11.745Z\",\"insertionTimestamp\":\"2021-09-16T19:18:39.567112Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/\",\"fileName\":\"System.Xml.XmlSerializer.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":8704,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"0cc4665479b5e519b2597b93577de1aa\",\"sha256Checksum\":\"027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba\",\"createTimestamp\":\"2020-01-17T20:41:02Z\",\"modifyTimestamp\":\"2020-01-17T20:41:02Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T19:15:11Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61267_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61267_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8e336e0-e775-5f81-a1d7-1d703bd8e157", "observed_start_time": "2021-09-16T19:15:11Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T19:15:11.745Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Xml.XmlSerializer.dll", "KATHYK-OSX (2)", "localhost", "2020-01-17T20:41:02Z", "application/x-msdownload", "DELETED", "162.222.47.183", "kathy.kane", "027bd9f18efae0871d22f6dcd7355d9f65c07d5f5af325a904151a6501724fba", "2021-09-16T19:20:29.167Z", 8704, "code42-exfil-share-datatype", "0cc4665479b5e519b2597b93577de1aa", 57848, "false", "TRUE", "/Users/kathy.kane/test42/Dotnet-Runtime/shared/Microsoft.NETCore.App/3.1.2/", "Executable", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T19:15:11.745Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-01-17T20:41:02Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T21:23:02.291Z 804e3b095828 Skyformation - 2954122368002305264 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 dproc=file events dtz=default-tenant end=1631827382291 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T21:23:02.291Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T21:23:00.987Z ext_md5Checksum=8a6258884d44fdd107707ad5c0cf2bea ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6659019 ext_insertionTimestamp=2021-09-16T21:23:35.061605Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025221793725151115_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T21:23:02.291Z\",\"insertionTimestamp\":\"2021-09-16T21:23:35.061605Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6659019,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"8a6258884d44fdd107707ad5c0cf2bea\",\"sha256Checksum\":\"4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T21:23:00.987Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T21:23:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "kathy.kane@c42se.com", "observables": [{"value": "kathy.kane@c42se.com", "type": "email"}], "obs": "email:kathy.kane@c42se.com", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61418_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61418_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5e37db0d-c059-56cc-8397-ed743e0042df", "observed_start_time": "2021-09-16T21:23:02Z", "count": 1, "observable_type": "email", "confidence": "High", "observed_time": {"start_time": "2021-09-16T21:23:02.291Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T21:23:00.987Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "4cda2adf583e7ded00d9e0d883b7d3f538a9eaa96949234c44d518ca0b64658b", "2021-09-16T21:24:29.095Z", 6659019, "code42-exfil-share-datatype", "8a6258884d44fdd107707ad5c0cf2bea", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T21:23:02.291Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "eb1b756a", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "email", "value": "kathy.kane@c42se.com"}, "type": "warning", "action_id": "194360e4-b8f2-44b6-9386-2d9df7a3a549", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for kathy.kane@c42se.com than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "email", "value": "kathy.kane@c42se.com", "id": "eb1b756a"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-8db39845-c60b-4d55-b5e2-0c1ad3f3e441", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T09:41:56.216Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
diff --git a/Exabeam/Snapshot-with-ip.json b/Exabeam/Snapshot-with-ip.json
index 29d4a986..5b783cd6 100644
--- a/Exabeam/Snapshot-with-ip.json
+++ b/Exabeam/Snapshot-with-ip.json
@@ -1 +1 @@
-{"schema_version": "1.1.3", "type": "investigation", "search-txt": "ip:\"162.222.47.183\"", "actions": "[{\"arg\":\"162.222.47.183\",\"created\":\"2021-09-17T08:28:35.340Z\",\"id\":\"collect-27650878\",\"result\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:28:35.548Z\",\"uuid\":\"4565fef0-1b78-4e97-9075-aae933cde512\"},{\"arg\":{\"type\":\"ip\",\"value\":\"162.222.47.183\"},\"created\":\"2021-09-17T08:28:35.567Z\",\"id\":\"investigate-ecd30f91\",\"result\":{\"data\":[{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337062Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Threading.Channels.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"523c15d2368a36583c90119fd9f52fe7\\\",\\\"sha256Checksum\\\":\\\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.230Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cb6020cb-fa6b-58ab-9a08-8c624a73ee5b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Threading.Channels.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.230Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"2021-09-16T22:52:32.766Z\",45952,\"code42-exfil-share-datatype\",\"523c15d2368a36583c90119fd9f52fe7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.411Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314807Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-libraryloader-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"94d4e2bb8654b77c41cd35574e3f0299\\\",\\\"sha256Checksum\\\":\\\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.401Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.402Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d3a79e39-11d3-53f1-b007-2ec9ea47ae64\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.411Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.402Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"2021-09-16T22:52:32.762Z\",12664,\"code42-exfil-share-datatype\",\"94d4e2bb8654b77c41cd35574e3f0299\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.411Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.401Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:03:22.644Z 804e3b095828 Skyformation - 273274590069601610 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 dproc=file events dtz=default-tenant end=1631833402644 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:22.644Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:03:22.573Z ext_md5Checksum=b65499280f2f8d7b7151a3fa44c0a24f ext_sharedWith=[] ext_sha256Checksum=417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:09:05.264820Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:03:22.644Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:09:05.264820Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"b65499280f2f8d7b7151a3fa44c0a24f\\\",\\\"sha256Checksum\\\":\\\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:03:22.573Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-72310698-525a-5a66-a3ee-20a1deca64d3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:03:22.644Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:03:22.573Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\",\"2021-09-16T23:38:30.159Z\",21,\"code42-exfil-share-datatype\",\"b65499280f2f8d7b7151a3fa44c0a24f\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T23:03:22.644Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.307Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":53112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0bf7eed5f18b294cd26d33a71c831237\\\",\\\"sha256Checksum\\\":\\\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.377Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.098Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-dd407cc3-3f46-5b52-b2e8-65ebc0e516ed\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.307Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.098Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"2021-09-16T22:52:32.764Z\",53112,\"code42-exfil-share-datatype\",\"0bf7eed5f18b294cd26d33a71c831237\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.307Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.377Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.246Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336975Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Buffers.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20856,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ecdfe8ede869d2ccc6bf99981ea96400\\\",\\\"sha256Checksum\\\":\\\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.607Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-eb0c66e8-84ad-581a-9f9a-25cebb09004f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.246Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Buffers.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.607Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"2021-09-16T22:52:32.759Z\",20856,\"code42-exfil-share-datatype\",\"ecdfe8ede869d2ccc6bf99981ea96400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.246Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:58:45.240Z 804e3b095828 Skyformation - 1503382521195344208 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 dproc=file events dtz=default-tenant end=1631833125240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:58:45.240Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:58:44.334Z ext_md5Checksum=4d815e327303356a651e8f6309dbddb2 ext_sharedWith=[] ext_sha256Checksum=44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:23.643528Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:58:45.240Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:02:23.643528Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/eric.strauss/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"4d815e327303356a651e8f6309dbddb2\\\",\\\"sha256Checksum\\\":\\\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:40:10.269Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:58:44.334Z\\\",\\\"deviceUserName\\\":\\\"eric.strauss@c42se.com\\\",\\\"osHostName\\\":\\\"ERICS-OFFICIAL-\\\",\\\"domainName\\\":\\\"ERICS-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:10bc:b19:239f:6063%eth4\\\",\\\"172.20.65.70\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"949085489986461736\\\",\\\"userUid\\\":\\\"886924612955838070\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"eric.strauss\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1c9475b8-bc10-5f3a-a528-b8a5ae119847\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:58:45.240Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ERICS-OFFICIAL-\",\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:58:44.334Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"eric.strauss\",\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\",\"2021-09-16T23:04:29.763Z\",21,\"code42-exfil-share-datatype\",\"4d815e327303356a651e8f6309dbddb2\",57848,\"false\",\"TRUE\",\"C:/Users/eric.strauss/\",\"Document\",\"Administrators\",\"FILE\",\"886924612955838070\",\"2021-09-16T22:58:45.240Z\",\"eric.strauss@c42se.com\",\"eric.strauss@c42se.com\",\"2020-08-14T13:40:10.269Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.134Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336077Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.Design.Editors.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":78200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3feb5a138ff178c1dd47a8a99f394517\\\",\\\"sha256Checksum\\\":\\\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.771Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-df2ba03f-9021-5a29-9af0-4d748fd81b32\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.134Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.Design.Editors.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.771Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"2021-09-16T22:52:32.759Z\",78200,\"code42-exfil-share-datatype\",\"3feb5a138ff178c1dd47a8a99f394517\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.134Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.207Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314378Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":729448,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"4bb5499613eca0fe0670a3cab2d5318e\\\",\\\"sha256Checksum\\\":\\\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.205Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.217Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e2f84dc5-c14e-5c9e-8387-08f1c5f04b0d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.207Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.217Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"2021-09-16T22:52:32.764Z\",729448,\"code42-exfil-share-datatype\",\"4bb5499613eca0fe0670a3cab2d5318e\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.207Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.205Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:00:53.518Z 804e3b095828 Skyformation - 9157518344019267215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 dproc=file events dtz=default-tenant end=1631833253518 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:53.518Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:52.603Z ext_md5Checksum=07123ecb22ebf61f593efe09b307cb58 ext_sharedWith=[] ext_sha256Checksum=6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:35.401169Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:00:53.518Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:02:35.401169Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/alex.cooper/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"07123ecb22ebf61f593efe09b307cb58\\\",\\\"sha256Checksum\\\":\\\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:57:46.726Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:00:52.603Z\\\",\\\"deviceUserName\\\":\\\"alex.cooper@c42se.com\\\",\\\"osHostName\\\":\\\"ALEXC-OFFICIAL-\\\",\\\"domainName\\\":\\\"ALEXC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.65.62\\\",\\\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944595906935824510\\\",\\\"userUid\\\":\\\"925771637667629373\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"alex.cooper\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_14_61484_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0f0674ff-844f-5bef-96fa-3838e5680bbb\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:00:53.518Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ALEXC-OFFICIAL-\",\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:00:52.603Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"alex.cooper\",\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\",\"2021-09-16T23:04:29.765Z\",21,\"code42-exfil-share-datatype\",\"07123ecb22ebf61f593efe09b307cb58\",57848,\"false\",\"TRUE\",\"C:/Users/alex.cooper/\",\"Document\",\"Administrators\",\"FILE\",\"925771637667629373\",\"2021-09-16T23:00:53.518Z\",\"alex.cooper@c42se.com\",\"alex.cooper@c42se.com\",\"2020-08-14T13:57:46.726Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336139Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f96e04ea6cbce1560b83bff7a42f29b0\\\",\\\"sha256Checksum\\\":\\\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a7debce1-3ffd-50ca-b4dd-86c49407a4b2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"2021-09-16T22:52:32.763Z\",14224,\"code42-exfil-share-datatype\",\"f96e04ea6cbce1560b83bff7a42f29b0\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:00:01.360Z 804e3b095828 Skyformation - 3885683649781971647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 dproc=file events dtz=default-tenant end=1631833201360 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:01.360Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:00.548Z ext_md5Checksum=6ef406323b86ee9fc610e512e565eceb ext_sharedWith=[] ext_sha256Checksum=a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:01:26.761677Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:00:01.360Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:01:26.761677Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/lisa.anderson/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"6ef406323b86ee9fc610e512e565eceb\\\",\\\"sha256Checksum\\\":\\\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\\\",\\\"createTimestamp\\\":\\\"2020-08-20T15:35:40.032Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:00:00.548Z\\\",\\\"deviceUserName\\\":\\\"lisa.anderson@example.edu\\\",\\\"osHostName\\\":\\\"LISAA-OFFICIAL-\\\",\\\"domainName\\\":\\\"LISAA-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.165\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968364480722593364\\\",\\\"userUid\\\":\\\"966200991614299301\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"lisa.anderson\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b5131dad-59b7-5e9c-af0c-bd9880bf8180\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:00:01.360Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"LISAA-OFFICIAL-\",\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:00:00.548Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"lisa.anderson\",\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\",\"2021-09-16T23:02:30.314Z\",21,\"code42-exfil-share-datatype\",\"6ef406323b86ee9fc610e512e565eceb\",57848,\"false\",\"TRUE\",\"C:/Users/lisa.anderson/\",\"Document\",\"Administrators\",\"FILE\",\"966200991614299301\",\"2021-09-16T23:00:01.360Z\",\"lisa.anderson@example.edu\",\"lisa.anderson@example.edu\",\"2020-08-20T15:35:40.032Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.268Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334477Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45448,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c9ea75b02fd1d01f87d8ca868c1ec833\\\",\\\"sha256Checksum\\\":\\\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.111Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:47.879Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c9f0fbfb-5ab6-542b-a192-b8fd98e410f9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:18.268Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:47.879Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"2021-09-16T22:52:32.759Z\",45448,\"code42-exfil-share-datatype\",\"c9ea75b02fd1d01f87d8ca868c1ec833\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.268Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.111Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:47.204Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315494Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\\\",\\\"fileName\\\":\\\"OneDriveSetup.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47927168,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"82a458793a4b821e54408db1a0ae4124\\\",\\\"sha256Checksum\\\":\\\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\\\",\\\"createTimestamp\\\":\\\"2021-09-14T09:30:08.167Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-14T09:29:55.334Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d31e6464-3207-5c61-87e3-a41b36564185\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:47.204Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"OneDriveSetup.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-14T09:29:55.334Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"2021-09-16T22:52:32.761Z\",47927168,\"code42-exfil-share-datatype\",\"82a458793a4b821e54408db1a0ae4124\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:47.204Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-14T09:30:08.167Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.089Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336572Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Castle.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":442368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2fba45e50a9fb187e9873416bc6b4400\\\",\\\"sha256Checksum\\\":\\\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.137Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:05.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0f6806eb-5784-52b4-93cd-fa869fedf5ed\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.089Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Castle.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:05.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"2021-09-16T22:52:32.760Z\",442368,\"code42-exfil-share-datatype\",\"2fba45e50a9fb187e9873416bc6b4400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.089Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.137Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.184Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337194Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"libnanoapimanaged.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7197696,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff0f788645e78335908728321c10454b\\\",\\\"sha256Checksum\\\":\\\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.638Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.359Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3e1bc410-3631-5811-9b1f-f5830fe141bf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.184Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"libnanoapimanaged.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.359Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"2021-09-16T22:52:32.759Z\",7197696,\"code42-exfil-share-datatype\",\"ff0f788645e78335908728321c10454b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.184Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.638Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315122Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-string-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f340a17ac423c71767d66973f69d05c8\\\",\\\"sha256Checksum\\\":\\\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.882Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.883Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3de744ae-c05b-5cad-b8ba-bf2e42b878c5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-string-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.883Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"2021-09-16T22:52:32.761Z\",18296,\"code42-exfil-share-datatype\",\"f340a17ac423c71767d66973f69d05c8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.882Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:51:23.336Z 804e3b095828 Skyformation - 869866733287153498 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 dproc=file events dtz=default-tenant end=1631832683336 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:51:23.336Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:22.415Z ext_md5Checksum=1a91631bf8b9e8f8eebc32c23d289b00 ext_sharedWith=[] ext_sha256Checksum=528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:47.736678Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:51:23.336Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:52:47.736678Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"1a91631bf8b9e8f8eebc32c23d289b00\\\",\\\"sha256Checksum\\\":\\\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:51:22.415Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-906a35f1-be54-5c29-beb5-915c1a319598\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:51:23.336Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:51:22.415Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\",\"2021-09-16T22:54:30.602Z\",21,\"code42-exfil-share-datatype\",\"1a91631bf8b9e8f8eebc32c23d289b00\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T22:51:23.336Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337345Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxComm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":22965248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3bf2cfa3eeecd650c9564a2b6543b398\\\",\\\"sha256Checksum\\\":\\\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:51.480Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-faf386d2-1897-5faa-9341-f6a5fc3c9de2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxComm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:51.480Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"2021-09-16T22:52:32.760Z\",22965248,\"code42-exfil-share-datatype\",\"3bf2cfa3eeecd650c9564a2b6543b398\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.136Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336703Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"987db26b17dc24d5b7dec25db1c103c2\\\",\\\"sha256Checksum\\\":\\\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.839Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-25c017fd-4f45-5914-beb2-bc15656fec2f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.136Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.839Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"2021-09-16T22:52:32.759Z\",18296,\"code42-exfil-share-datatype\",\"987db26b17dc24d5b7dec25db1c103c2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.136Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:03:00.461Z 804e3b095828 Skyformation - 4596085183447228781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 dproc=file events dtz=default-tenant end=1631833380461 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:00.461Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:59.649Z ext_md5Checksum=3466b521c7f5908415eda20dae617805 ext_sharedWith=[] ext_sha256Checksum=323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:49.475785Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:03:00.461Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:03:49.475785Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/keri.prichard/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"3466b521c7f5908415eda20dae617805\\\",\\\"sha256Checksum\\\":\\\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:28:08.235Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:02:59.649Z\\\",\\\"deviceUserName\\\":\\\"keri.prichard@example.edu\\\",\\\"osHostName\\\":\\\"KERIP-OFFICIAL-\\\",\\\"domainName\\\":\\\"KERIP-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.164\\\",\\\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423512854283047\\\",\\\"userUid\\\":\\\"966201252013468837\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"keri.prichard\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7e0b6d27-4e43-591e-bfda-6a6ab3f6874a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:03:00.461Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KERIP-OFFICIAL-\",\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:02:59.649Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"keri.prichard\",\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\",\"2021-09-16T23:38:30.159Z\",21,\"code42-exfil-share-datatype\",\"3466b521c7f5908415eda20dae617805\",57848,\"false\",\"TRUE\",\"C:/Users/keri.prichard/\",\"Document\",\"Administrators\",\"FILE\",\"966201252013468837\",\"2021-09-16T23:03:00.461Z\",\"keri.prichard@example.edu\",\"keri.prichard@example.edu\",\"2020-08-21T01:28:08.235Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.132Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334824Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b81fa8bc88192c7febd2479638aea569\\\",\\\"sha256Checksum\\\":\\\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.158Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.113Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-80f4bd35-8d77-5832-82bc-6e851b01ab6a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.132Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.113Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"b81fa8bc88192c7febd2479638aea569\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.132Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.158Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:31.153Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337748Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"msoimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11529088,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3f7fb1d32a7be58e65dc615a9553e183\\\",\\\"sha256Checksum\\\":\\\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:53.564Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c11cb0c5-6ce6-53e6-990a-3db70bde087e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:31.153Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msoimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:53.564Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"2021-09-16T22:52:32.766Z\",11529088,\"code42-exfil-share-datatype\",\"3f7fb1d32a7be58e65dc615a9553e183\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:31.153Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:45.200Z 804e3b095828 Skyformation - 4568069721930504518 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 dproc=file events dtz=default-tenant end=1631832945200 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:45.200Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:44.294Z ext_md5Checksum=443f8cb00cc5111045099941ed333760 ext_sharedWith=[] ext_sha256Checksum=0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:57.527022Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:45.200Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:57.527022Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/eric.strauss/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"443f8cb00cc5111045099941ed333760\\\",\\\"sha256Checksum\\\":\\\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:40:10.269Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:44.294Z\\\",\\\"deviceUserName\\\":\\\"eric.strauss@c42se.com\\\",\\\"osHostName\\\":\\\"ERICS-OFFICIAL-\\\",\\\"domainName\\\":\\\"ERICS-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:10bc:b19:239f:6063%eth4\\\",\\\"172.20.65.70\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"949085489986461736\\\",\\\"userUid\\\":\\\"886924612955838070\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"eric.strauss\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-88010803-a3bd-5c70-ad45-f8a8ff7c5250\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:45.200Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ERICS-OFFICIAL-\",\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:55:44.294Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"eric.strauss\",\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\",\"2021-09-16T22:58:29.756Z\",21,\"code42-exfil-share-datatype\",\"443f8cb00cc5111045099941ed333760\",57848,\"false\",\"TRUE\",\"C:/Users/eric.strauss/\",\"Document\",\"Administrators\",\"FILE\",\"886924612955838070\",\"2021-09-16T22:55:45.200Z\",\"eric.strauss@c42se.com\",\"eric.strauss@c42se.com\",\"2020-08-14T13:40:10.269Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.250Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336984Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Collections.Immutable.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":302216,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d8203aedaabeac1e606cd0e2af397d01\\\",\\\"sha256Checksum\\\":\\\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.294Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a06655bf-1d69-5734-9385-bedd69f54dde\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.250Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Collections.Immutable.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.294Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"2021-09-16T22:52:32.760Z\",302216,\"code42-exfil-share-datatype\",\"d8203aedaabeac1e606cd0e2af397d01\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.250Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.201Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314355Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.WebSocketClient.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1103208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"e93c70df0faa580e8272c9c833238352\\\",\\\"sha256Checksum\\\":\\\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.457Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.468Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6c6ba0d2-5cb7-5fb4-b8fa-b1ddcca2b916\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.201Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.WebSocketClient.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.468Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"2021-09-16T22:52:32.763Z\",1103208,\"code42-exfil-share-datatype\",\"e93c70df0faa580e8272c9c833238352\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.201Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.457Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:57:00.388Z 804e3b095828 Skyformation - 828612858482025544 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 dproc=file events dtz=default-tenant end=1631833020388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:00.388Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:59.574Z ext_md5Checksum=8efa479f501fce555f0d148ed15700ff ext_sharedWith=[] ext_sha256Checksum=7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:23.763511Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:57:00.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:58:23.763511Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/keri.prichard/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"8efa479f501fce555f0d148ed15700ff\\\",\\\"sha256Checksum\\\":\\\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:28:08.235Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:56:59.574Z\\\",\\\"deviceUserName\\\":\\\"keri.prichard@example.edu\\\",\\\"osHostName\\\":\\\"KERIP-OFFICIAL-\\\",\\\"domainName\\\":\\\"KERIP-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.164\\\",\\\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423512854283047\\\",\\\"userUid\\\":\\\"966201252013468837\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"keri.prichard\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-16c0c82f-103f-5735-8035-176b59587558\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:57:00.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KERIP-OFFICIAL-\",\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:56:59.574Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"keri.prichard\",\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\",\"2021-09-16T23:00:29.721Z\",21,\"code42-exfil-share-datatype\",\"8efa479f501fce555f0d148ed15700ff\",57848,\"false\",\"TRUE\",\"C:/Users/keri.prichard/\",\"Document\",\"Administrators\",\"FILE\",\"966201252013468837\",\"2021-09-16T22:57:00.388Z\",\"keri.prichard@example.edu\",\"keri.prichard@example.edu\",\"2020-08-21T01:28:08.235Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.248Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315215Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"ipcfile.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":519040,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c0ae22d4188ac20d9d83dd26ad0aabe8\\\",\\\"sha256Checksum\\\":\\\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.591Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.599Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-688ee4c8-f77c-5f46-9836-4348af79eaac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:44.248Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ipcfile.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.599Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"2021-09-16T22:52:32.766Z\",519040,\"code42-exfil-share-datatype\",\"c0ae22d4188ac20d9d83dd26ad0aabe8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.248Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.591Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.199Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315098Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-runtime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":16248,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"439e89fa2d4882b639df5e8ec7a96ba3\\\",\\\"sha256Checksum\\\":\\\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.868Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a0d1586a-980b-53db-a3bd-54d0da5b1f6c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.199Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-runtime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"2021-09-16T22:52:32.759Z\",16248,\"code42-exfil-share-datatype\",\"439e89fa2d4882b639df5e8ec7a96ba3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.199Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.868Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.194Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336844Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Options.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":50552,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"89c3d573e8b2e5a71850a69f14fff1a5\\\",\\\"sha256Checksum\\\":\\\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d48070bb-5f27-5c2d-988d-60be6d9b5bf9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.194Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Options.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"2021-09-16T22:52:32.763Z\",50552,\"code42-exfil-share-datatype\",\"89c3d573e8b2e5a71850a69f14fff1a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.194Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:59:02.980Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:01:17.003636Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661803,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"7a691f6c406d52373ad2c62e2f480bb3\\\",\\\"sha256Checksum\\\":\\\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:59:00.670Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-44f8d201-58cc-59b9-97c3-f246c522fbbf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:59:02.980Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:59:00.670Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"2021-09-16T23:02:30.314Z\",6661803,\"code42-exfil-share-datatype\",\"7a691f6c406d52373ad2c62e2f480bb3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:59:02.980Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.391Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314714Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-debug-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"5c7fa0b68872c2d1d3f10601e3af2341\\\",\\\"sha256Checksum\\\":\\\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.181Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.185Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-76f5923e-90cb-5871-a068-f325c3b14df5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.391Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-debug-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.185Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"2021-09-16T22:52:32.758Z\",11648,\"code42-exfil-share-datatype\",\"5c7fa0b68872c2d1d3f10601e3af2341\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.391Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.181Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336992Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.ComponentModel.Annotations.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":43152,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"7d3d14b0417a68ccdd9c51972ff74863\\\",\\\"sha256Checksum\\\":\\\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d53d7240-3aa7-5101-93e4-21c54bf8057d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ComponentModel.Annotations.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"2021-09-16T22:52:32.766Z\",43152,\"code42-exfil-share-datatype\",\"7d3d14b0417a68ccdd9c51972ff74863\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.409Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314795Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-interlocked-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11640,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"72413f1254d09348dab76ee4e5e2e300\\\",\\\"sha256Checksum\\\":\\\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.394Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.395Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9d71ceb9-5bd1-5f54-9ab2-e4c2b17d36ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.409Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-interlocked-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.395Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"2021-09-16T22:52:32.767Z\",11640,\"code42-exfil-share-datatype\",\"72413f1254d09348dab76ee4e5e2e300\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.409Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.394Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.322Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335199Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"WindowsFormsIntegration.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\\\",\\\"sha256Checksum\\\":\\\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.379Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-591003e3-d294-5b92-b79e-0b8f876ef71a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.322Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsFormsIntegration.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.379Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"2021-09-16T22:52:32.766Z\",14736,\"code42-exfil-share-datatype\",\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.322Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:39.345Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337890Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSync.Resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2382208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"3c69d0029f27ff52a1b4d3f70fef0d2b\\\",\\\"sha256Checksum\\\":\\\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:12.114Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:12.146Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-948e9f79-dc63-5056-aea8-c68e06874928\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:39.345Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSync.Resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:12.146Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"2021-09-16T22:52:32.760Z\",2382208,\"code42-exfil-share-datatype\",\"3c69d0029f27ff52a1b4d3f70fef0d2b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:39.345Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:12.114Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.278Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336341Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"UIAutomationClient.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18320,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e55e4041d9e6f6bf0d3738a25255913\\\",\\\"sha256Checksum\\\":\\\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.271Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-05bbd72b-3d43-546c-9d35-945d8f707e57\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.278Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationClient.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.271Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"2021-09-16T22:52:32.762Z\",18320,\"code42-exfil-share-datatype\",\"5e55e4041d9e6f6bf0d3738a25255913\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.278Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:46.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315412Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\\\",\\\"fileName\\\":\\\"qtquickextrasplugin.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":80256,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"68118cdf04def6c50804a705773bbd9b\\\",\\\"sha256Checksum\\\":\\\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:21.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:21.223Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4a0c230f-9717-5e9f-a713-a19dc76fff57\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:46.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"qtquickextrasplugin.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:21.223Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"2021-09-16T22:52:32.765Z\",80256,\"code42-exfil-share-datatype\",\"68118cdf04def6c50804a705773bbd9b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:46.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:21.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.233Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336279Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":35728,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1b4ed26020dd106aaf2e1a6265dce9d\\\",\\\"sha256Checksum\\\":\\\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.627Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.224Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b94cad0a-dbae-50b0-8247-6f277b16ef62\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.233Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.224Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"2021-09-16T22:52:32.760Z\",35728,\"code42-exfil-share-datatype\",\"e1b4ed26020dd106aaf2e1a6265dce9d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.233Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.627Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.330Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335818Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1b1e7bc04757e673ca956218abdb7959\\\",\\\"sha256Checksum\\\":\\\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.393Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.144Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-72a3a626-c665-500e-8f8e-348475fffa7a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.330Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.144Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"2021-09-16T22:52:32.766Z\",15736,\"code42-exfil-share-datatype\",\"1b1e7bc04757e673ca956218abdb7959\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.330Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.393Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.241Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335618Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d1b7ec7c3a95ec1e84117bfef59f1ab6\\\",\\\"sha256Checksum\\\":\\\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.863Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a0de864d-2900-5255-812e-84ad1269fe51\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.241Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.863Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"2021-09-16T22:52:32.765Z\",15240,\"code42-exfil-share-datatype\",\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.241Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.295Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335136Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5a9f0b52ac62762bd03d34c0e410acb3\\\",\\\"sha256Checksum\\\":\\\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.316Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a05b4e8f-6202-5499-ba07-3718cf72c197\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.295Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.316Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"2021-09-16T22:52:32.760Z\",15224,\"code42-exfil-share-datatype\",\"5a9f0b52ac62762bd03d34c0e410acb3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.295Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:30.321Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337686Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"inktotextengineimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":346480,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3579a936952da7532c4358700bed43a3\\\",\\\"sha256Checksum\\\":\\\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.674Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b5817d5a-4a72-58ec-81bc-5a28f291f095\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:30.321Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"inktotextengineimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.674Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"2021-09-16T22:52:32.762Z\",346480,\"code42-exfil-share-datatype\",\"3579a936952da7532c4358700bed43a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:30.321Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.216Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337256Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"libnanoapi.lib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":1570,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"bb41b302cf1325c4f459616da8e605a2\\\",\\\"sha256Checksum\\\":\\\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.468Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:30.262Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-archive\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f011d516-96c8-5ad3-a4b0-533801bdca65\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.216Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libnanoapi.lib\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:30.262Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"2021-09-16T22:52:32.763Z\",1570,\"code42-exfil-share-datatype\",\"bb41b302cf1325c4f459616da8e605a2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"Archive\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.216Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.468Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:50:54.234Z 804e3b095828 Skyformation - 8299296745530260548 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 dproc=file events dtz=default-tenant end=1631832654234 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:50:54.234Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:50:53.422Z ext_md5Checksum=f9f18977a180437631eb8e969d503075 ext_sharedWith=[] ext_sha256Checksum=cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:51:57.205056Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:50:54.234Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:57.205056Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/russell.martin/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"f9f18977a180437631eb8e969d503075\\\",\\\"sha256Checksum\\\":\\\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:27:36.760Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:50:53.422Z\\\",\\\"deviceUserName\\\":\\\"russell.martin@example.edu\\\",\\\"osHostName\\\":\\\"RUSSELLM-OFFICI\\\",\\\"domainName\\\":\\\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.162\\\",\\\"fe80:0:0:0:49f7:c945:904:10d5%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423453587837882\\\",\\\"userUid\\\":\\\"966201050854648997\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"russell.martin\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4162539b-fbca-51cf-b6e4-0a6b26d39962\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:50:54.234Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"RUSSELLM-OFFICI\",\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:50:53.422Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"russell.martin\",\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\",\"2021-09-16T22:52:32.764Z\",21,\"code42-exfil-share-datatype\",\"f9f18977a180437631eb8e969d503075\",57848,\"false\",\"TRUE\",\"C:/Users/russell.martin/\",\"Document\",\"Administrators\",\"FILE\",\"966201050854648997\",\"2021-09-16T22:50:54.234Z\",\"russell.martin@example.edu\",\"russell.martin@example.edu\",\"2020-08-21T01:27:36.760Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337186Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"YourPhoneServer.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47104,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"640c3b31c496531dacc0a8fb830fd457\\\",\\\"sha256Checksum\\\":\\\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.653Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.484Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bb1cd9ba-bcbf-5e7c-bff6-a1f16c9d579f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneServer.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.484Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"2021-09-16T22:52:32.765Z\",47104,\"code42-exfil-share-datatype\",\"640c3b31c496531dacc0a8fb830fd457\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.653Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.328Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334616Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c329416237b094613fc5f5a64b2ecbce\\\",\\\"sha256Checksum\\\":\\\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.564Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.664Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-53045a88-f6cf-5c78-9b45-7919c983dd54\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:18.328Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.664Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"2021-09-16T22:52:32.765Z\",30720,\"code42-exfil-share-datatype\",\"c329416237b094613fc5f5a64b2ecbce\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.328Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.564Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:52:54.712Z 804e3b095828 Skyformation - 1972555328724139685 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 dproc=file events dtz=default-tenant end=1631832774712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:54.712Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:52:53.806Z ext_md5Checksum=352c6e242381d6d2fd656d2ffe3f05a9 ext_sharedWith=[] ext_sha256Checksum=97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:02.107014Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:52:54.712Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:54:02.107014Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/michelle.goldberg/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"352c6e242381d6d2fd656d2ffe3f05a9\\\",\\\"sha256Checksum\\\":\\\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:53:22.049Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:52:53.806Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7c4b7cfb-ff1f-59b1-93a0-91313fa71439\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:52:54.712Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:52:53.806Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"michelle.goldberg\",\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\",\"2021-09-16T22:54:30.604Z\",21,\"code42-exfil-share-datatype\",\"352c6e242381d6d2fd656d2ffe3f05a9\",57848,\"false\",\"TRUE\",\"C:/Users/michelle.goldberg/\",\"Document\",\"Administrators\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:52:54.712Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2020-08-14T14:53:22.049Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.130Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336068Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d7b70d7ae944e13019a7796eb46e966c\\\",\\\"sha256Checksum\\\":\\\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.755Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2dfdd205-d548-557a-a188-7105930ba081\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.130Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.755Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"d7b70d7ae944e13019a7796eb46e966c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.130Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:01.316Z 804e3b095828 Skyformation - 5313767959944003510 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 dproc=file events dtz=default-tenant end=1631832901316 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:01.316Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.503Z ext_md5Checksum=1ed9751c3a3a31efb6d268320a46952a ext_sharedWith=[] ext_sha256Checksum=8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:00.284722Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:01.316Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:00.284722Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/lisa.anderson/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"1ed9751c3a3a31efb6d268320a46952a\\\",\\\"sha256Checksum\\\":\\\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\\\",\\\"createTimestamp\\\":\\\"2020-08-20T15:35:40.032Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:00.503Z\\\",\\\"deviceUserName\\\":\\\"lisa.anderson@example.edu\\\",\\\"osHostName\\\":\\\"LISAA-OFFICIAL-\\\",\\\"domainName\\\":\\\"LISAA-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.165\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968364480722593364\\\",\\\"userUid\\\":\\\"966200991614299301\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"lisa.anderson\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d3ebf614-7a41-54e5-b9ad-6e8b032a6820\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:01.316Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"LISAA-OFFICIAL-\",\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:55:00.503Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"lisa.anderson\",\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\",\"2021-09-16T22:58:29.756Z\",21,\"code42-exfil-share-datatype\",\"1ed9751c3a3a31efb6d268320a46952a\",57848,\"false\",\"TRUE\",\"C:/Users/lisa.anderson/\",\"Document\",\"Administrators\",\"FILE\",\"966200991614299301\",\"2021-09-16T22:55:01.316Z\",\"lisa.anderson@example.edu\",\"lisa.anderson@example.edu\",\"2020-08-20T15:35:40.032Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.133Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336694Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":144760,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1edab455db5fec76120731d3c11cb67\\\",\\\"sha256Checksum\\\":\\\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.823Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f3d93fcd-248c-5cf5-b1e3-7ea6efaeb96e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.133Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.823Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"2021-09-16T22:52:32.761Z\",144760,\"code42-exfil-share-datatype\",\"e1edab455db5fec76120731d3c11cb67\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.133Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314702Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-datetime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"98cfeaa96192d5dccc4a1852f6754fd5\\\",\\\"sha256Checksum\\\":\\\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.142Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.155Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a5f54c34-5c36-5f79-9a0a-cd3443ceaf39\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-datetime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.155Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"2021-09-16T22:52:32.762Z\",11648,\"code42-exfil-share-datatype\",\"98cfeaa96192d5dccc4a1852f6754fd5\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.388Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.142Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:02.481Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:55:54.847061Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661687,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3df126f4a090da12f2c29b6e5c1c29da\\\",\\\"sha256Checksum\\\":\\\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:00.206Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-32ba2af3-2036-5524-8bbc-ace366ddd95d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:02.481Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:55:00.206Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"2021-09-16T22:58:29.755Z\",6661687,\"code42-exfil-share-datatype\",\"3df126f4a090da12f2c29b6e5c1c29da\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:55:02.481Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.123Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337678Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"igxim.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4910872,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d19ae43d04b6c5c4b5f3fcc081b9e602\\\",\\\"sha256Checksum\\\":\\\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bb0321a2-a87b-56fe-b5b5-20b9c02a89b4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:28.123Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"igxim.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"2021-09-16T22:52:32.759Z\",4910872,\"code42-exfil-share-datatype\",\"d19ae43d04b6c5c4b5f3fcc081b9e602\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.123Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336563Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"AutoMapper.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":286720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff3c3d84a000d57ef7d443f594d407ec\\\",\\\"sha256Checksum\\\":\\\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\\\",\\\"createTimestamp\\\":\\\"2021-06-17T09:48:12.583Z\\\",\\\"modifyTimestamp\\\":\\\"2021-06-17T09:48:17.915Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4092231e-8015-5e72-93c4-007b94515cd6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"AutoMapper.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-06-17T09:48:17.915Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"2021-09-16T22:52:32.759Z\",286720,\"code42-exfil-share-datatype\",\"ff3c3d84a000d57ef7d443f594d407ec\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-06-17T09:48:12.583Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.166Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Caching.Memory.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":32120,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"9e7c8d18c1128488df0dea96a6b5be3c\\\",\\\"sha256Checksum\\\":\\\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.247Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-32cf786a-b54f-5f06-8b5f-120a57ee31d5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.166Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Caching.Memory.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.247Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"2021-09-16T22:52:32.764Z\",32120,\"code42-exfil-share-datatype\",\"9e7c8d18c1128488df0dea96a6b5be3c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.166Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335338Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"mscorrc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":13176,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"fc24926593d08479a7ed2bdaff458d20\\\",\\\"sha256Checksum\\\":\\\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.252Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.613Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-986981d1-b0c1-5463-b0d6-0f4ac3764bf2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"mscorrc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.613Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"2021-09-16T22:52:32.759Z\",13176,\"code42-exfil-share-datatype\",\"fc24926593d08479a7ed2bdaff458d20\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.252Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.192Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314319Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.Calc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1333608,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"29b2b242a9fb8c094425d566c50f0958\\\",\\\"sha256Checksum\\\":\\\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.949Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.967Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d06e6d6c-2bd7-559d-88b4-d7e4d1a89e9a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.192Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.Calc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.967Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"2021-09-16T22:52:32.760Z\",1333608,\"code42-exfil-share-datatype\",\"29b2b242a9fb8c094425d566c50f0958\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.192Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.949Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 2046146408369861582 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=4447782c2756c6c447299d79a0e92f6950df5def fsize=3105208 msg=Resource [Resource: file :: 4447782c2756c6c447299d79a0e92f6950df5def] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=4447782c2756c6c447299d79a0e92f6950df5def ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T10:01:33.097Z ext_md5Checksum=3a09012f4a87abb2366ffbf8ca4b70ec ext_sharedWith=[] ext_sha256Checksum=0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3105208 ext_insertionTimestamp=2021-09-16T22:59:26.353746Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T10:01:32.918Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:32.032Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:26.353746Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Windows/SoftwareDistribution/Download/\\\",\\\"fileName\\\":\\\"4447782c2756c6c447299d79a0e92f6950df5def\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":3105208,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3a09012f4a87abb2366ffbf8ca4b70ec\\\",\\\"sha256Checksum\\\":\\\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\\\",\\\"createTimestamp\\\":\\\"2021-09-15T10:01:32.918Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T10:01:33.097Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6a55a80a-3597-5ff8-8362-b51c90225a52\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:32.032Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"4447782c2756c6c447299d79a0e92f6950df5def\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-15T10:01:33.097Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"michelle.goldberg\",\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\",\"2021-09-16T23:02:30.312Z\",3105208,\"code42-exfil-share-datatype\",\"3a09012f4a87abb2366ffbf8ca4b70ec\",57848,\"false\",\"TRUE\",\"C:/Windows/SoftwareDistribution/Download/\",\"Executable\",\"SYSTEM\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:55:32.032Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2021-09-15T10:01:32.918Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.160Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336148Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"077bb8ca6a783006aacb63d08317c339\\\",\\\"sha256Checksum\\\":\\\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61471_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0357656e-2c0b-5454-97fc-aaff38ba6255\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.160Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"2021-09-16T22:52:32.764Z\",17272,\"code42-exfil-share-datatype\",\"077bb8ca6a783006aacb63d08317c339\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.160Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.219Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336922Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Newtonsoft.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":653824,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f33cbe589b769956284868104686cc2d\\\",\\\"sha256Checksum\\\":\\\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.618Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.588Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-aea8b0e5-235a-5595-8967-8fed89dcca7f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.219Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Newtonsoft.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.588Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"2021-09-16T22:52:32.761Z\",653824,\"code42-exfil-share-datatype\",\"f33cbe589b769956284868104686cc2d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.219Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.618Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.060Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335277Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1ac89288b8009c9a0fb138fb9d67b150\\\",\\\"sha256Checksum\\\":\\\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.586Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.943Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9918c6d9-765e-5d8c-b914-bf67bca5fb25\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.060Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.943Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"2021-09-16T22:52:32.763Z\",30720,\"code42-exfil-share-datatype\",\"1ac89288b8009c9a0fb138fb9d67b150\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.060Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.586Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.234Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314470Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5Gui.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6671232,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f53d5cd7837e933cf4cc8c07a1a88350\\\",\\\"sha256Checksum\\\":\\\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.375Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.450Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6f1119de-1ca4-5c02-8a48-8d233b6c7f51\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.234Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5Gui.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.450Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"2021-09-16T22:52:32.762Z\",6671232,\"code42-exfil-share-datatype\",\"f53d5cd7837e933cf4cc8c07a1a88350\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.234Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.375Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.163Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335444Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b5cb4e7532586d8ec2a144fe895ef55d\\\",\\\"sha256Checksum\\\":\\\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.330Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.707Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1b62b73d-4074-5e2d-aed4-f833528c33c6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.163Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.707Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"2021-09-16T22:52:32.765Z\",17272,\"code42-exfil-share-datatype\",\"b5cb4e7532586d8ec2a144fe895ef55d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.163Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.330Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.146Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335417Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"PresentationFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":208784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"beeb465b9ab84dbb8f78f866924d49fe\\\",\\\"sha256Checksum\\\":\\\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.315Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.676Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-292bec71-c562-577a-a94f-ab54370603eb\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.146Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.676Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"2021-09-16T22:52:32.766Z\",208784,\"code42-exfil-share-datatype\",\"beeb465b9ab84dbb8f78f866924d49fe\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.146Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.315Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335722Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\\\",\\\"sha256Checksum\\\":\\\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.598Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.987Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2574907d-cae0-57cc-b985-8815cca5ac1d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.987Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"2021-09-16T22:52:32.761Z\",26112,\"code42-exfil-share-datatype\",\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.598Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:47:48.222Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:50.885010Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/\\\",\\\"fileName\\\":\\\"sshd.pid\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":6,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"4ae3b17c6481c84809152f331f7d783c\\\",\\\"sha256Checksum\\\":\\\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\\\",\\\"createTimestamp\\\":\\\"2021-03-17T09:49:37.832Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T09:39:11.904Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5d48b52e-0e61-5614-b642-183dc0ac545e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:47:48.222Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"sshd.pid\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T09:39:11.904Z\",\"application/octet-stream\",\"MODIFIED\",\"162.222.47.183\",\"darnell.waters\",\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"2021-09-16T22:58:29.756Z\",6,\"code42-exfil-share-datatype\",\"4ae3b17c6481c84809152f331f7d783c\",57848,\"false\",\"TRUE\",\"C:/\",\"Document\",\"Administrators\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:47:48.222Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-03-17T09:49:37.832Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.108Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336633Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Google.Protobuf.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":401064,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e73f645a041a91618e33299cfe33851\\\",\\\"sha256Checksum\\\":\\\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.060Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-764e8852-01b4-5167-bee9-61f29e31602d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.108Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Google.Protobuf.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.060Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"2021-09-16T22:52:32.766Z\",401064,\"code42-exfil-share-datatype\",\"5e73f645a041a91618e33299cfe33851\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.108Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:52:00.340Z 804e3b095828 Skyformation - 101121762317961190 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 dproc=file events dtz=default-tenant end=1631832720340 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:00.340Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:59.527Z ext_md5Checksum=a5d9591d6f143c127c28abadbf112417 ext_sharedWith=[] ext_sha256Checksum=ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:59.169359Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:52:00.340Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:52:59.169359Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/keri.prichard/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"a5d9591d6f143c127c28abadbf112417\\\",\\\"sha256Checksum\\\":\\\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:28:08.235Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:51:59.527Z\\\",\\\"deviceUserName\\\":\\\"keri.prichard@example.edu\\\",\\\"osHostName\\\":\\\"KERIP-OFFICIAL-\\\",\\\"domainName\\\":\\\"KERIP-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.164\\\",\\\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423512854283047\\\",\\\"userUid\\\":\\\"966201252013468837\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"keri.prichard\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b32701b6-d75d-5708-8872-225eb4b7fbd8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:52:00.340Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KERIP-OFFICIAL-\",\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:51:59.527Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"keri.prichard\",\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\",\"2021-09-16T22:54:30.604Z\",21,\"code42-exfil-share-datatype\",\"a5d9591d6f143c127c28abadbf112417\",57848,\"false\",\"TRUE\",\"C:/Users/keri.prichard/\",\"Document\",\"Administrators\",\"FILE\",\"966201252013468837\",\"2021-09-16T22:52:00.340Z\",\"keri.prichard@example.edu\",\"keri.prichard@example.edu\",\"2020-08-21T01:28:08.235Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.284Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337354Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxCommModel.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4250624,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1d0bcfa0671f607ba8e3ab53f893e8bb\\\",\\\"sha256Checksum\\\":\\\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.137Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-366d1237-2f8f-52da-b57a-6c5aeff7f553\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.284Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxCommModel.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.137Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"2021-09-16T22:52:32.763Z\",4250624,\"code42-exfil-share-datatype\",\"1d0bcfa0671f607ba8e3ab53f893e8bb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.284Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:01:54.338Z 804e3b095828 Skyformation - 5372332763298212826 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 dproc=file events dtz=default-tenant end=1631833314338 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:01:54.338Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:01:53.526Z ext_md5Checksum=88b43443da22c25cf6c00f8cd5c67b29 ext_sharedWith=[] ext_sha256Checksum=7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:49.223927Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:01:54.338Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:02:49.223927Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/russell.martin/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"88b43443da22c25cf6c00f8cd5c67b29\\\",\\\"sha256Checksum\\\":\\\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:27:36.760Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:01:53.526Z\\\",\\\"deviceUserName\\\":\\\"russell.martin@example.edu\\\",\\\"osHostName\\\":\\\"RUSSELLM-OFFICI\\\",\\\"domainName\\\":\\\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.162\\\",\\\"fe80:0:0:0:49f7:c945:904:10d5%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423453587837882\\\",\\\"userUid\\\":\\\"966201050854648997\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"russell.martin\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-87711222-9004-58f2-8d70-d87870bdc475\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:01:54.338Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"RUSSELLM-OFFICI\",\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:01:53.526Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"russell.martin\",\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\",\"2021-09-16T23:04:29.765Z\",21,\"code42-exfil-share-datatype\",\"88b43443da22c25cf6c00f8cd5c67b29\",57848,\"false\",\"TRUE\",\"C:/Users/russell.martin/\",\"Document\",\"Administrators\",\"FILE\",\"966201050854648997\",\"2021-09-16T23:01:54.338Z\",\"russell.martin@example.edu\",\"russell.martin@example.edu\",\"2020-08-21T01:27:36.760Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:53:34.592Z 804e3b095828 Skyformation - 5887001634145810066 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 dproc=file events dtz=default-tenant end=1631832814592 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:53:34.592Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:53:33.688Z ext_md5Checksum=984ffdd35a8b9587207b594e6a6391b5 ext_sharedWith=[] ext_sha256Checksum=d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:27.640048Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:53:34.592Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:54:27.640048Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/sean.cassidy/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"984ffdd35a8b9587207b594e6a6391b5\\\",\\\"sha256Checksum\\\":\\\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\\\",\\\"createTimestamp\\\":\\\"2020-03-23T20:49:51.288Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:53:33.688Z\\\",\\\"deviceUserName\\\":\\\"sean.cassidy@c42se.com\\\",\\\"osHostName\\\":\\\"SEANC-OFFICIAL-\\\",\\\"domainName\\\":\\\"SEANC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\",\\\"172.20.65.56\\\"],\\\"deviceUid\\\":\\\"983156854068078725\\\",\\\"userUid\\\":\\\"887050325252344565\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"sean.cassidy\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-719c033c-53b7-50ac-bf24-b8c674179635\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:53:34.592Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"SEANC-OFFICIAL-\",\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:53:33.688Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"sean.cassidy\",\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\",\"2021-09-16T22:54:30.604Z\",21,\"code42-exfil-share-datatype\",\"984ffdd35a8b9587207b594e6a6391b5\",57848,\"false\",\"TRUE\",\"C:/Users/sean.cassidy/\",\"Document\",\"Administrators\",\"FILE\",\"887050325252344565\",\"2021-09-16T22:53:34.592Z\",\"sean.cassidy@c42se.com\",\"sean.cassidy@c42se.com\",\"2020-03-23T20:49:51.288Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314982Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-conio-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c61e3c9099cc2b143cc93bf26ac01d34\\\",\\\"sha256Checksum\\\":\\\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-19461a73-1623-57e1-9868-8316927e555a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:41.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-conio-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.790Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"2021-09-16T22:52:32.763Z\",12664,\"code42-exfil-share-datatype\",\"c61e3c9099cc2b143cc93bf26ac01d34\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.790Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 8292696232025279500 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=3e524e400c05f8303ada6e81308853048f98951f fsize=348600 msg=Resource [Resource: file :: 3e524e400c05f8303ada6e81308853048f98951f] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=3e524e400c05f8303ada6e81308853048f98951f ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:53:42.201Z ext_md5Checksum=a41a0e7d69c8b117f5a841863ad4d765 ext_sharedWith=[] ext_sha256Checksum=ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=348600 ext_insertionTimestamp=2021-09-16T22:59:26.353728Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T09:53:42.064Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:32.032Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:26.353728Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Windows/SoftwareDistribution/Download/\\\",\\\"fileName\\\":\\\"3e524e400c05f8303ada6e81308853048f98951f\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":348600,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"a41a0e7d69c8b117f5a841863ad4d765\\\",\\\"sha256Checksum\\\":\\\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\\\",\\\"createTimestamp\\\":\\\"2021-09-15T09:53:42.064Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:53:42.201Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b141bf70-a77d-5e91-985f-804abf86f186\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:32.032Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"3e524e400c05f8303ada6e81308853048f98951f\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-15T09:53:42.201Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"michelle.goldberg\",\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\",\"2021-09-16T23:00:29.721Z\",348600,\"code42-exfil-share-datatype\",\"a41a0e7d69c8b117f5a841863ad4d765\",57848,\"false\",\"TRUE\",\"C:/Windows/SoftwareDistribution/Download/\",\"Executable\",\"SYSTEM\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:55:32.032Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2021-09-15T09:53:42.064Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:56:54.736Z 804e3b095828 Skyformation - 2768134485455653850 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 dproc=file events dtz=default-tenant end=1631833014736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:56:54.736Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:53.830Z ext_md5Checksum=d7bad10ef06efb58306cf290c0666440 ext_sharedWith=[] ext_sha256Checksum=158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:26.353681Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:56:54.736Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:26.353681Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/michelle.goldberg/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"d7bad10ef06efb58306cf290c0666440\\\",\\\"sha256Checksum\\\":\\\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:53:22.049Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:56:53.830Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-53659e52-f299-5197-b32b-1b8ec8f96d9d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:56:54.736Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:56:53.830Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"michelle.goldberg\",\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\",\"2021-09-16T23:00:29.721Z\",21,\"code42-exfil-share-datatype\",\"d7bad10ef06efb58306cf290c0666440\",57848,\"false\",\"TRUE\",\"C:/Users/michelle.goldberg/\",\"Document\",\"Administrators\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:56:54.736Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2020-08-14T14:53:22.049Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.309Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337398Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxOutlook.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1439232,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"845c649d20d35fc78fbab0c0d9ec5ec6\\\",\\\"sha256Checksum\\\":\\\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.168Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8ecbddf4-f6de-5532-b9a4-0c18b11274a2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.309Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxOutlook.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.168Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"2021-09-16T22:52:32.761Z\",1439232,\"code42-exfil-share-datatype\",\"845c649d20d35fc78fbab0c0d9ec5ec6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.309Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.350Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337538Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"TextEntityExtractorProxy.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":638976,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f8af1754c0bdb86deb1f68930784d580\\\",\\\"sha256Checksum\\\":\\\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:55.205Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-767515fa-6d2b-54eb-b95a-d0ed62b96e67\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.350Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"TextEntityExtractorProxy.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:55.205Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"2021-09-16T22:52:32.767Z\",638976,\"code42-exfil-share-datatype\",\"f8af1754c0bdb86deb1f68930784d580\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.350Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.190Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336835Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Logging.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":34168,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47d7a055ee7672f9b54ba629da07a6a3\\\",\\\"sha256Checksum\\\":\\\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-19f4f026-7d63-5465-9fc6-c1821bd52f8b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.190Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Logging.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"2021-09-16T22:52:32.766Z\",34168,\"code42-exfil-share-datatype\",\"47d7a055ee7672f9b54ba629da07a6a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.190Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:02:22.586Z 804e3b095828 Skyformation - 166520060466349731 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 dproc=file events dtz=default-tenant end=1631833342586 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:02:22.586Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:22.567Z ext_md5Checksum=863d783444c0ecd387c905e9176bf141 ext_sharedWith=[] ext_sha256Checksum=fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:40.014640Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:02:22.586Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:03:40.014640Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"863d783444c0ecd387c905e9176bf141\\\",\\\"sha256Checksum\\\":\\\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:02:22.567Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4993fc49-66eb-5a74-8700-2b0bed24b796\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:02:22.586Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:02:22.567Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\",\"2021-09-16T23:04:29.764Z\",21,\"code42-exfil-share-datatype\",\"863d783444c0ecd387c905e9176bf141\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T23:02:22.586Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.168Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336774Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Abstractions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":21368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1c8f3a5d41fd162943613952097db8b\\\",\\\"sha256Checksum\\\":\\\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-30ad332e-3cc8-5056-9b47-f6c67e1be5ad\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.168Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"2021-09-16T22:52:32.765Z\",21368,\"code42-exfil-share-datatype\",\"e1c8f3a5d41fd162943613952097db8b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.168Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.090Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335347Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":19968,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b2f71614b51575b117cfa4356d851423\\\",\\\"sha256Checksum\\\":\\\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.589Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.950Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9c09f4e8-150f-5f53-ba71-50de875db6f2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.090Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.950Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"2021-09-16T22:52:32.761Z\",19968,\"code42-exfil-share-datatype\",\"b2f71614b51575b117cfa4356d851423\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.090Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.589Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.102Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335997Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":31744,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"88d5e6253dcb376fb076c87713b3628e\\\",\\\"sha256Checksum\\\":\\\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.614Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.054Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4d5460d1-da05-5833-8d33-4461a20b887c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.102Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.054Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"2021-09-16T22:52:32.766Z\",31744,\"code42-exfil-share-datatype\",\"88d5e6253dcb376fb076c87713b3628e\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.102Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.614Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:53.470Z 804e3b095828 Skyformation - 8757910183166367699 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 dproc=file events dtz=default-tenant end=1631832953470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:53.470Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:52.553Z ext_md5Checksum=42095b3368e04ec563ae3cc508cf7b0b ext_sharedWith=[] ext_sha256Checksum=7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:57:12.133407Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:53.470Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:57:12.133407Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/alex.cooper/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"42095b3368e04ec563ae3cc508cf7b0b\\\",\\\"sha256Checksum\\\":\\\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:57:46.726Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:52.553Z\\\",\\\"deviceUserName\\\":\\\"alex.cooper@c42se.com\\\",\\\"osHostName\\\":\\\"ALEXC-OFFICIAL-\\\",\\\"domainName\\\":\\\"ALEXC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.65.62\\\",\\\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944595906935824510\\\",\\\"userUid\\\":\\\"925771637667629373\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"alex.cooper\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6cc5937c-087a-5124-b1d8-ee04a483a05a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:55:53.470Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ALEXC-OFFICIAL-\",\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:55:52.553Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"alex.cooper\",\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\",\"2021-09-16T22:58:29.756Z\",21,\"code42-exfil-share-datatype\",\"42095b3368e04ec563ae3cc508cf7b0b\",57848,\"false\",\"TRUE\",\"C:/Users/alex.cooper/\",\"Document\",\"Administrators\",\"FILE\",\"925771637667629373\",\"2021-09-16T22:55:53.470Z\",\"alex.cooper@c42se.com\",\"alex.cooper@c42se.com\",\"2020-08-14T13:57:46.726Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:57:23.419Z 804e3b095828 Skyformation - 7013019646501643272 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 dproc=file events dtz=default-tenant end=1631833043419 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:23.419Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:57:22.503Z ext_md5Checksum=8ea299414f16148eb8517e478d71f64c ext_sharedWith=[] ext_sha256Checksum=e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:13.330998Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:57:23.419Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:58:13.330998Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"8ea299414f16148eb8517e478d71f64c\\\",\\\"sha256Checksum\\\":\\\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:57:22.503Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-39144912-bbfc-507f-a580-4c709660d4b3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:57:23.419Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:57:22.503Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\",\"2021-09-16T23:00:29.720Z\",21,\"code42-exfil-share-datatype\",\"8ea299414f16148eb8517e478d71f64c\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T22:57:23.419Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.262Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315284Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"msipc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":3022712,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"dcd150947325c51dc49af1c568e76466\\\",\\\"sha256Checksum\\\":\\\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.484Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.519Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9e30b314-9ee6-5218-b163-313d2a5bb546\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:44.262Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msipc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.519Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"2021-09-16T22:52:32.766Z\",3022712,\"code42-exfil-share-datatype\",\"dcd150947325c51dc49af1c568e76466\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.262Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.484Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.100Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337625Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\\\",\\\"fileName\\\":\\\"msointlimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":377184,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"99d060c13d92442ea518ad6c13305532\\\",\\\"sha256Checksum\\\":\\\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.887Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:50.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-49473a25-b7cc-50fd-a762-72b81b536667\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:28.100Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msointlimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:50.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"2021-09-16T22:52:32.765Z\",377184,\"code42-exfil-share-datatype\",\"99d060c13d92442ea518ad6c13305532\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.100Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.887Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:54:34.612Z 804e3b095828 Skyformation - 6165243996888775860 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 dproc=file events dtz=default-tenant end=1631832874612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:54:34.612Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:54:33.697Z ext_md5Checksum=d4d35cde3d316ed4aeedf61797ae50a4 ext_sharedWith=[] ext_sha256Checksum=4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:52.367764Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:54:34.612Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:52.367764Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/sean.cassidy/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"d4d35cde3d316ed4aeedf61797ae50a4\\\",\\\"sha256Checksum\\\":\\\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\\\",\\\"createTimestamp\\\":\\\"2020-03-23T20:49:51.288Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:54:33.697Z\\\",\\\"deviceUserName\\\":\\\"sean.cassidy@c42se.com\\\",\\\"osHostName\\\":\\\"SEANC-OFFICIAL-\\\",\\\"domainName\\\":\\\"SEANC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\",\\\"172.20.65.56\\\"],\\\"deviceUid\\\":\\\"983156854068078725\\\",\\\"userUid\\\":\\\"887050325252344565\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"sean.cassidy\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a6622b12-9210-5391-b7a2-fb37b77d2330\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:54:34.612Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"SEANC-OFFICIAL-\",\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:54:33.697Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"sean.cassidy\",\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\",\"2021-09-16T23:02:30.314Z\",21,\"code42-exfil-share-datatype\",\"d4d35cde3d316ed4aeedf61797ae50a4\",57848,\"false\",\"TRUE\",\"C:/Users/sean.cassidy/\",\"Document\",\"Administrators\",\"FILE\",\"887050325252344565\",\"2021-09-16T22:54:34.612Z\",\"sean.cassidy@c42se.com\",\"sean.cassidy@c42se.com\",\"2020-03-23T20:49:51.288Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.280Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335704Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"dc434cced48beee1b8f867474c5cc33d\\\",\\\"sha256Checksum\\\":\\\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.599Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.991Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-66391315-46a4-5cd5-8e36-797ce685401a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.280Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.991Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"2021-09-16T22:52:32.765Z\",26112,\"code42-exfil-share-datatype\",\"dc434cced48beee1b8f867474c5cc33d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.280Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.599Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.191Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337203Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\\\",\\\"fileName\\\":\\\"e_sqlite3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":870400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6844e4b40c797e392e1dddcfae0b8dd4\\\",\\\"sha256Checksum\\\":\\\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\\\",\\\"createTimestamp\\\":\\\"2020-08-20T09:07:00.718Z\\\",\\\"modifyTimestamp\\\":\\\"2020-08-20T09:07:05.686Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9125605f-1264-5799-9b5e-5b14abd34ad1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:23.191Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"e_sqlite3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-08-20T09:07:05.686Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"2021-09-16T22:52:32.766Z\",870400,\"code42-exfil-share-datatype\",\"6844e4b40c797e392e1dddcfae0b8dd4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.191Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-08-20T09:07:00.718Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.172Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336782Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Binder.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":24952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f97d210b3ede360f920e2b1d5b702d6b\\\",\\\"sha256Checksum\\\":\\\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-40aa9339-7c7b-54de-9324-9377e056d4e2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.172Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Binder.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"2021-09-16T22:52:32.763Z\",24952,\"code42-exfil-share-datatype\",\"f97d210b3ede360f920e2b1d5b702d6b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.172Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.128Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337977Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSyncTelemetryExtensions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":71544,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"faaf9d982dbaa8ab547098f1fb6abc81\\\",\\\"sha256Checksum\\\":\\\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.402Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.405Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1f33d210-e0ea-5ac6-bb07-7a447613b190\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.128Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSyncTelemetryExtensions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.405Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"2021-09-16T22:52:32.759Z\",71544,\"code42-exfil-share-datatype\",\"faaf9d982dbaa8ab547098f1fb6abc81\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.128Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.402Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.161Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334894Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"981e3dd612e3d93ba10c54e46d378aa5\\\",\\\"sha256Checksum\\\":\\\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.190Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.176Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6fb7d7f8-f5f2-572a-97f2-cc3be5dd47f1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.161Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.176Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"2021-09-16T22:52:32.762Z\",17784,\"code42-exfil-share-datatype\",\"981e3dd612e3d93ba10c54e46d378aa5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.161Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.190Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336218Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"vcruntime140_cor3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":97160,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"18049f6811fc0f94547189a9e104f5d2\\\",\\\"sha256Checksum\\\":\\\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.611Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.958Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6fb7d559-f724-5f37-9187-9d037f75fda3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"vcruntime140_cor3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.958Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"2021-09-16T22:52:32.762Z\",97160,\"code42-exfil-share-datatype\",\"18049f6811fc0f94547189a9e104f5d2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.611Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337045Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Encodings.Web.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":59768,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2e2490a823b4a3d290a98d0371d199ed\\\",\\\"sha256Checksum\\\":\\\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bdd0dfb1-55f1-5bbd-85ab-d589623e4230\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Encodings.Web.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"2021-09-16T22:52:32.766Z\",59768,\"code42-exfil-share-datatype\",\"2e2490a823b4a3d290a98d0371d199ed\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.105Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336624Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"DotNetty.Transport.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":254464,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4a67dcf64aab4980b9bd9fb623cc7242\\\",\\\"sha256Checksum\\\":\\\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.044Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-13a0b29e-3db3-522a-a911-be3d684f1f07\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.105Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"DotNetty.Transport.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.044Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"2021-09-16T22:52:32.765Z\",254464,\"code42-exfil-share-datatype\",\"4a67dcf64aab4980b9bd9fb623cc7242\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.105Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335653Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6b163d1438afbe087bb895d76ea393e7\\\",\\\"sha256Checksum\\\":\\\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.926Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3a1fee14-256f-510f-aced-1bf23fb968cd\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:20.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.926Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"2021-09-16T22:52:32.760Z\",14200,\"code42-exfil-share-datatype\",\"6b163d1438afbe087bb895d76ea393e7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.285Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337054Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":293248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"64efa1bfed847afd252e7af274648474\\\",\\\"sha256Checksum\\\":\\\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-523329ab-5b5f-5357-a64e-8ae0ce7f5456\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:22.285Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"2021-09-16T22:52:32.764Z\",293248,\"code42-exfil-share-datatype\",\"64efa1bfed847afd252e7af274648474\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.285Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335127Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":355192,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47613e3bfa408b3299c04d0df45433ba\\\",\\\"sha256Checksum\\\":\\\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.301Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-22383b2e-6dd0-5329-baf0-9074acc3b3a0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:19.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.301Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"2021-09-16T22:52:32.763Z\",355192,\"code42-exfil-share-datatype\",\"47613e3bfa408b3299c04d0df45433ba\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.292Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.316Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336422Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":36240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e2dd338ceac0daebdfdf99d72e40fd80\\\",\\\"sha256Checksum\\\":\\\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.349Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-46a69277-670c-5a04-a296-4ce39a3e0361\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:21.316Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.349Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"2021-09-16T22:52:32.761Z\",36240,\"code42-exfil-share-datatype\",\"e2dd338ceac0daebdfdf99d72e40fd80\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.316Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.331Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337467Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"Office.UI.Xaml.Core.winmd\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":20280,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d16aec0e28a5f509a04722edf62e01eb\\\",\\\"sha256Checksum\\\":\\\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:54.439Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6af36d6f-8b1a-53f4-b011-92aea968dc13\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:27.331Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Office.UI.Xaml.Core.winmd\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:54.439Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"2021-09-16T22:52:32.764Z\",20280,\"code42-exfil-share-datatype\",\"d16aec0e28a5f509a04722edf62e01eb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.331Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.231Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314459Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5DBus.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":437624,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"d10cb4ac9a26d6350f1079399351e9d3\\\",\\\"sha256Checksum\\\":\\\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.238Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.354Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ccea10ce-60a9-516a-adc2-ab30852b2b65\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T22:48:40.231Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5DBus.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.354Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"2021-09-16T22:52:32.760Z\",437624,\"code42-exfil-share-datatype\",\"d10cb4ac9a26d6350f1079399351e9d3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.231Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.238Z\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages.\",\"type\":\"warning\",\"module\":\"Exabeam\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:28:38.918Z\",\"uuid\":\"84f9c555-287e-4ed0-9caf-8ff5f23a21dc\"}]", "short_description": "Exabeam", "omittedObservables": [], "archivedObservables": [{"key": "7dddf0ad-0f0d-44da-b109-ae4251e920c5", "value": "162.222.47.183", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f5f1e5c6", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "ip", "value": "162.222.47.183"}, "type": "warning", "action_id": "84f9c555-287e-4ed0-9caf-8ff5f23a21dc", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "162.222.47.183", "id": "f5f1e5c6", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccea10ce-60a9-516a-adc2-ab30852b2b65", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6af36d6f-8b1a-53f4-b011-92aea968dc13", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-46a69277-670c-5a04-a296-4ce39a3e0361", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-22383b2e-6dd0-5329-baf0-9074acc3b3a0", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-523329ab-5b5f-5357-a64e-8ae0ce7f5456", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3a1fee14-256f-510f-aced-1bf23fb968cd", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-13a0b29e-3db3-522a-a911-be3d684f1f07", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bdd0dfb1-55f1-5bbd-85ab-d589623e4230", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d559-f724-5f37-9187-9d037f75fda3", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d7f8-f5f2-572a-97f2-cc3be5dd47f1", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f33d210-e0ea-5ac6-bb07-7a447613b190", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-40aa9339-7c7b-54de-9324-9377e056d4e2", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9125605f-1264-5799-9b5e-5b14abd34ad1", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66391315-46a4-5cd5-8e36-797ce685401a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:54:34.612Z 804e3b095828 Skyformation - 6165243996888775860 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 dproc=file events dtz=default-tenant end=1631832874612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:54:34.612Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:54:33.697Z ext_md5Checksum=d4d35cde3d316ed4aeedf61797ae50a4 ext_sharedWith=[] ext_sha256Checksum=4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:52.367764Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:54:34.612Z\",\"insertionTimestamp\":\"2021-09-16T22:59:52.367764Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d4d35cde3d316ed4aeedf61797ae50a4\",\"sha256Checksum\":\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:54:33.697Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:54:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a6622b12-9210-5391-b7a2-fb37b77d2330", "observed_start_time": "2021-09-16T22:54:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:54:34.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:54:33.697Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "d4d35cde3d316ed4aeedf61797ae50a4", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:54:34.612Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-49473a25-b7cc-50fd-a762-72b81b536667", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e30b314-9ee6-5218-b163-313d2a5bb546", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:23.419Z 804e3b095828 Skyformation - 7013019646501643272 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 dproc=file events dtz=default-tenant end=1631833043419 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:23.419Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:57:22.503Z ext_md5Checksum=8ea299414f16148eb8517e478d71f64c ext_sharedWith=[] ext_sha256Checksum=e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:13.330998Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:23.419Z\",\"insertionTimestamp\":\"2021-09-16T22:58:13.330998Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8ea299414f16148eb8517e478d71f64c\",\"sha256Checksum\":\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:57:22.503Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-39144912-bbfc-507f-a580-4c709660d4b3", "observed_start_time": "2021-09-16T22:57:23Z", "count": 1, "observable_type": "ip", "ctr_uuid": "a1f10421-bd33-4f50-8324-f03652392c01", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:23.419Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:57:22.503Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e", "2021-09-16T23:00:29.720Z", 21, "code42-exfil-share-datatype", "8ea299414f16148eb8517e478d71f64c", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:57:23.419Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:53.470Z 804e3b095828 Skyformation - 8757910183166367699 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 dproc=file events dtz=default-tenant end=1631832953470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:53.470Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:52.553Z ext_md5Checksum=42095b3368e04ec563ae3cc508cf7b0b ext_sharedWith=[] ext_sha256Checksum=7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:57:12.133407Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:53.470Z\",\"insertionTimestamp\":\"2021-09-16T22:57:12.133407Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"42095b3368e04ec563ae3cc508cf7b0b\",\"sha256Checksum\":\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T22:55:52.553Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cc5937c-087a-5124-b1d8-ee04a483a05a", "observed_start_time": "2021-09-16T22:55:53Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:53.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:52.553Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "42095b3368e04ec563ae3cc508cf7b0b", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T22:55:53.470Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d5460d1-da05-5833-8d33-4461a20b887c", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9c09f4e8-150f-5f53-ba71-50de875db6f2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-30ad332e-3cc8-5056-9b47-f6c67e1be5ad", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:02:22.586Z 804e3b095828 Skyformation - 166520060466349731 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 dproc=file events dtz=default-tenant end=1631833342586 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:02:22.586Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:22.567Z ext_md5Checksum=863d783444c0ecd387c905e9176bf141 ext_sharedWith=[] ext_sha256Checksum=fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:40.014640Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:02:22.586Z\",\"insertionTimestamp\":\"2021-09-16T23:03:40.014640Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"863d783444c0ecd387c905e9176bf141\",\"sha256Checksum\":\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:02:22.567Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:02:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4993fc49-66eb-5a74-8700-2b0bed24b796", "observed_start_time": "2021-09-16T23:02:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "41ce6a98-376a-408e-a126-14b22993139c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:02:22.586Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:22.567Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833", "2021-09-16T23:04:29.764Z", 21, "code42-exfil-share-datatype", "863d783444c0ecd387c905e9176bf141", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:02:22.586Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19f4f026-7d63-5465-9fc6-c1821bd52f8b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-767515fa-6d2b-54eb-b95a-d0ed62b96e67", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8ecbddf4-f6de-5532-b9a4-0c18b11274a2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:56:54.736Z 804e3b095828 Skyformation - 2768134485455653850 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 dproc=file events dtz=default-tenant end=1631833014736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:56:54.736Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:53.830Z ext_md5Checksum=d7bad10ef06efb58306cf290c0666440 ext_sharedWith=[] ext_sha256Checksum=158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:26.353681Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:56:54.736Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353681Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d7bad10ef06efb58306cf290c0666440\",\"sha256Checksum\":\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:56:53.830Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:56:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53659e52-f299-5197-b32b-1b8ec8f96d9d", "observed_start_time": "2021-09-16T22:56:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:56:54.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:53.830Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "d7bad10ef06efb58306cf290c0666440", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:56:54.736Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 8292696232025279500 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=3e524e400c05f8303ada6e81308853048f98951f fsize=348600 msg=Resource [Resource: file :: 3e524e400c05f8303ada6e81308853048f98951f] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=3e524e400c05f8303ada6e81308853048f98951f ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:53:42.201Z ext_md5Checksum=a41a0e7d69c8b117f5a841863ad4d765 ext_sharedWith=[] ext_sha256Checksum=ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=348600 ext_insertionTimestamp=2021-09-16T22:59:26.353728Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T09:53:42.064Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353728Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"3e524e400c05f8303ada6e81308853048f98951f\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":348600,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"a41a0e7d69c8b117f5a841863ad4d765\",\"sha256Checksum\":\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\",\"createTimestamp\":\"2021-09-15T09:53:42.064Z\",\"modifyTimestamp\":\"2021-09-15T09:53:42.201Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b141bf70-a77d-5e91-985f-804abf86f186", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "3e524e400c05f8303ada6e81308853048f98951f", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T09:53:42.201Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae", "2021-09-16T23:00:29.721Z", 348600, "code42-exfil-share-datatype", "a41a0e7d69c8b117f5a841863ad4d765", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T09:53:42.064Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19461a73-1623-57e1-9868-8316927e555a", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:53:34.592Z 804e3b095828 Skyformation - 5887001634145810066 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 dproc=file events dtz=default-tenant end=1631832814592 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:53:34.592Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:53:33.688Z ext_md5Checksum=984ffdd35a8b9587207b594e6a6391b5 ext_sharedWith=[] ext_sha256Checksum=d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:27.640048Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:53:34.592Z\",\"insertionTimestamp\":\"2021-09-16T22:54:27.640048Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"984ffdd35a8b9587207b594e6a6391b5\",\"sha256Checksum\":\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:53:33.688Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:53:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-719c033c-53b7-50ac-bf24-b8c674179635", "observed_start_time": "2021-09-16T22:53:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:53:34.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:53:33.688Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "984ffdd35a8b9587207b594e6a6391b5", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:53:34.592Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:01:54.338Z 804e3b095828 Skyformation - 5372332763298212826 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 dproc=file events dtz=default-tenant end=1631833314338 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:01:54.338Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:01:53.526Z ext_md5Checksum=88b43443da22c25cf6c00f8cd5c67b29 ext_sharedWith=[] ext_sha256Checksum=7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:49.223927Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:01:54.338Z\",\"insertionTimestamp\":\"2021-09-16T23:02:49.223927Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"88b43443da22c25cf6c00f8cd5c67b29\",\"sha256Checksum\":\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T23:01:53.526Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:01:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87711222-9004-58f2-8d70-d87870bdc475", "observed_start_time": "2021-09-16T23:01:54Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8f6040be-aa37-4fc3-8cb4-58d4974ba70b", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:01:54.338Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:01:53.526Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "88b43443da22c25cf6c00f8cd5c67b29", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T23:01:54.338Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-366d1237-2f8f-52da-b57a-6c5aeff7f553", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:00.340Z 804e3b095828 Skyformation - 101121762317961190 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 dproc=file events dtz=default-tenant end=1631832720340 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:00.340Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:59.527Z ext_md5Checksum=a5d9591d6f143c127c28abadbf112417 ext_sharedWith=[] ext_sha256Checksum=ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:59.169359Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:00.340Z\",\"insertionTimestamp\":\"2021-09-16T22:52:59.169359Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"a5d9591d6f143c127c28abadbf112417\",\"sha256Checksum\":\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:51:59.527Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b32701b6-d75d-5708-8872-225eb4b7fbd8", "observed_start_time": "2021-09-16T22:52:00Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:00.340Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:59.527Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "a5d9591d6f143c127c28abadbf112417", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:52:00.340Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-764e8852-01b4-5167-bee9-61f29e31602d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5d48b52e-0e61-5614-b642-183dc0ac545e", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2574907d-cae0-57cc-b985-8815cca5ac1d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-292bec71-c562-577a-a94f-ab54370603eb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1b62b73d-4074-5e2d-aed4-f833528c33c6", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6f1119de-1ca4-5c02-8a48-8d233b6c7f51", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9918c6d9-765e-5d8c-b914-bf67bca5fb25", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-aea8b0e5-235a-5595-8967-8fed89dcca7f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0357656e-2c0b-5454-97fc-aaff38ba6255", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 2046146408369861582 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=4447782c2756c6c447299d79a0e92f6950df5def fsize=3105208 msg=Resource [Resource: file :: 4447782c2756c6c447299d79a0e92f6950df5def] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=4447782c2756c6c447299d79a0e92f6950df5def ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T10:01:33.097Z ext_md5Checksum=3a09012f4a87abb2366ffbf8ca4b70ec ext_sharedWith=[] ext_sha256Checksum=0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3105208 ext_insertionTimestamp=2021-09-16T22:59:26.353746Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T10:01:32.918Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353746Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"4447782c2756c6c447299d79a0e92f6950df5def\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":3105208,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3a09012f4a87abb2366ffbf8ca4b70ec\",\"sha256Checksum\":\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\",\"createTimestamp\":\"2021-09-15T10:01:32.918Z\",\"modifyTimestamp\":\"2021-09-15T10:01:33.097Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6a55a80a-3597-5ff8-8362-b51c90225a52", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "4447782c2756c6c447299d79a0e92f6950df5def", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T10:01:33.097Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862", "2021-09-16T23:02:30.312Z", 3105208, "code42-exfil-share-datatype", "3a09012f4a87abb2366ffbf8ca4b70ec", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T10:01:32.918Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d06e6d6c-2bd7-559d-88b4-d7e4d1a89e9a", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-986981d1-b0c1-5463-b0d6-0f4ac3764bf2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32cf786a-b54f-5f06-8b5f-120a57ee31d5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4092231e-8015-5e72-93c4-007b94515cd6", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb0321a2-a87b-56fe-b5b5-20b9c02a89b4", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32ba2af3-2036-5524-8bbc-ace366ddd95d", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a5f54c34-5c36-5f79-9a0a-cd3443ceaf39", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f3d93fcd-248c-5cf5-b1e3-7ea6efaeb96e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:01.316Z 804e3b095828 Skyformation - 5313767959944003510 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 dproc=file events dtz=default-tenant end=1631832901316 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:01.316Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.503Z ext_md5Checksum=1ed9751c3a3a31efb6d268320a46952a ext_sharedWith=[] ext_sha256Checksum=8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:00.284722Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:01.316Z\",\"insertionTimestamp\":\"2021-09-16T22:56:00.284722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1ed9751c3a3a31efb6d268320a46952a\",\"sha256Checksum\":\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.503Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3ebf614-7a41-54e5-b9ad-6e8b032a6820", "observed_start_time": "2021-09-16T22:55:01Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:01.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:00.503Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "1ed9751c3a3a31efb6d268320a46952a", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T22:55:01.316Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2dfdd205-d548-557a-a188-7105930ba081", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:54.712Z 804e3b095828 Skyformation - 1972555328724139685 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 dproc=file events dtz=default-tenant end=1631832774712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:54.712Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:52:53.806Z ext_md5Checksum=352c6e242381d6d2fd656d2ffe3f05a9 ext_sharedWith=[] ext_sha256Checksum=97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:02.107014Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:54.712Z\",\"insertionTimestamp\":\"2021-09-16T22:54:02.107014Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"352c6e242381d6d2fd656d2ffe3f05a9\",\"sha256Checksum\":\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:52:53.806Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c4b7cfb-ff1f-59b1-93a0-91313fa71439", "observed_start_time": "2021-09-16T22:52:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:54.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:52:53.806Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "352c6e242381d6d2fd656d2ffe3f05a9", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:52:54.712Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53045a88-f6cf-5c78-9b45-7919c983dd54", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb1cd9ba-bcbf-5e7c-bff6-a1f16c9d579f", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:50:54.234Z 804e3b095828 Skyformation - 8299296745530260548 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 dproc=file events dtz=default-tenant end=1631832654234 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:50:54.234Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:50:53.422Z ext_md5Checksum=f9f18977a180437631eb8e969d503075 ext_sharedWith=[] ext_sha256Checksum=cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:51:57.205056Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:50:54.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:57.205056Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"f9f18977a180437631eb8e969d503075\",\"sha256Checksum\":\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T22:50:53.422Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:50:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4162539b-fbca-51cf-b6e4-0a6b26d39962", "observed_start_time": "2021-09-16T22:50:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:50:54.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:50:53.422Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022", "2021-09-16T22:52:32.764Z", 21, "code42-exfil-share-datatype", "f9f18977a180437631eb8e969d503075", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T22:50:54.234Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f011d516-96c8-5ad3-a4b0-533801bdca65", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5817d5a-4a72-58ec-81bc-5a28f291f095", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a05b4e8f-6202-5499-ba07-3718cf72c197", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0de864d-2900-5255-812e-84ad1269fe51", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72a3a626-c665-500e-8f8e-348475fffa7a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b94cad0a-dbae-50b0-8247-6f277b16ef62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4a0c230f-9717-5e9f-a713-a19dc76fff57", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-05bbd72b-3d43-546c-9d35-945d8f707e57", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-948e9f79-dc63-5056-aea8-c68e06874928", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591003e3-d294-5b92-b79e-0b8f876ef71a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9d71ceb9-5bd1-5f54-9ab2-e4c2b17d36ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d53d7240-3aa7-5101-93e4-21c54bf8057d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-76f5923e-90cb-5871-a068-f325c3b14df5", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44f8d201-58cc-59b9-97c3-f246c522fbbf", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "ip", "ctr_uuid": "2b62502c-3789-473e-82ed-1635c31f6ebb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d48070bb-5f27-5c2d-988d-60be6d9b5bf9", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0d1586a-980b-53db-a3bd-54d0da5b1f6c", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-688ee4c8-f77c-5f46-9836-4348af79eaac", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:00.388Z 804e3b095828 Skyformation - 828612858482025544 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 dproc=file events dtz=default-tenant end=1631833020388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:00.388Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:59.574Z ext_md5Checksum=8efa479f501fce555f0d148ed15700ff ext_sharedWith=[] ext_sha256Checksum=7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:23.763511Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:00.388Z\",\"insertionTimestamp\":\"2021-09-16T22:58:23.763511Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8efa479f501fce555f0d148ed15700ff\",\"sha256Checksum\":\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:56:59.574Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16c0c82f-103f-5735-8035-176b59587558", "observed_start_time": "2021-09-16T22:57:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "939e6101-de49-4225-a54a-08c9718d357c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:00.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:59.574Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "8efa479f501fce555f0d148ed15700ff", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:57:00.388Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6c6ba0d2-5cb7-5fb4-b8fa-b1ddcca2b916", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a06655bf-1d69-5734-9385-bedd69f54dde", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:45.200Z 804e3b095828 Skyformation - 4568069721930504518 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 dproc=file events dtz=default-tenant end=1631832945200 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:45.200Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:44.294Z ext_md5Checksum=443f8cb00cc5111045099941ed333760 ext_sharedWith=[] ext_sha256Checksum=0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:57.527022Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:45.200Z\",\"insertionTimestamp\":\"2021-09-16T22:56:57.527022Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"443f8cb00cc5111045099941ed333760\",\"sha256Checksum\":\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:55:44.294Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-88010803-a3bd-5c70-ad45-f8a8ff7c5250", "observed_start_time": "2021-09-16T22:55:45Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:45.200Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:44.294Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "443f8cb00cc5111045099941ed333760", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:55:45.200Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c11cb0c5-6ce6-53e6-990a-3db70bde087e", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-80f4bd35-8d77-5832-82bc-6e851b01ab6a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:00.461Z 804e3b095828 Skyformation - 4596085183447228781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 dproc=file events dtz=default-tenant end=1631833380461 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:00.461Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:59.649Z ext_md5Checksum=3466b521c7f5908415eda20dae617805 ext_sharedWith=[] ext_sha256Checksum=323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:49.475785Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:00.461Z\",\"insertionTimestamp\":\"2021-09-16T23:03:49.475785Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"3466b521c7f5908415eda20dae617805\",\"sha256Checksum\":\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T23:02:59.649Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e0b6d27-4e43-591e-bfda-6a6ab3f6874a", "observed_start_time": "2021-09-16T23:03:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "acc3331d-c05a-44d1-b1e8-276faa688494", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:00.461Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:59.649Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "3466b521c7f5908415eda20dae617805", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T23:03:00.461Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25c017fd-4f45-5914-beb2-bc15656fec2f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-faf386d2-1897-5faa-9341-f6a5fc3c9de2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:51:23.336Z 804e3b095828 Skyformation - 869866733287153498 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 dproc=file events dtz=default-tenant end=1631832683336 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:51:23.336Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:22.415Z ext_md5Checksum=1a91631bf8b9e8f8eebc32c23d289b00 ext_sharedWith=[] ext_sha256Checksum=528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:47.736678Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:51:23.336Z\",\"insertionTimestamp\":\"2021-09-16T22:52:47.736678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1a91631bf8b9e8f8eebc32c23d289b00\",\"sha256Checksum\":\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:51:22.415Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:51:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-906a35f1-be54-5c29-beb5-915c1a319598", "observed_start_time": "2021-09-16T22:51:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:51:23.336Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:22.415Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad", "2021-09-16T22:54:30.602Z", 21, "code42-exfil-share-datatype", "1a91631bf8b9e8f8eebc32c23d289b00", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:51:23.336Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3de744ae-c05b-5cad-b8ba-bf2e42b878c5", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3e1bc410-3631-5811-9b1f-f5830fe141bf", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f6806eb-5784-52b4-93cd-fa869fedf5ed", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d31e6464-3207-5c61-87e3-a41b36564185", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c9f0fbfb-5ab6-542b-a192-b8fd98e410f9", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:01.360Z 804e3b095828 Skyformation - 3885683649781971647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 dproc=file events dtz=default-tenant end=1631833201360 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:01.360Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:00.548Z ext_md5Checksum=6ef406323b86ee9fc610e512e565eceb ext_sharedWith=[] ext_sha256Checksum=a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:01:26.761677Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:01.360Z\",\"insertionTimestamp\":\"2021-09-16T23:01:26.761677Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"6ef406323b86ee9fc610e512e565eceb\",\"sha256Checksum\":\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T23:00:00.548Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5131dad-59b7-5e9c-af0c-bd9880bf8180", "observed_start_time": "2021-09-16T23:00:01Z", "count": 1, "observable_type": "ip", "ctr_uuid": "82ff18f9-a2f2-468e-b769-864955bf9f94", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:01.360Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:00.548Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "6ef406323b86ee9fc610e512e565eceb", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T23:00:01.360Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7debce1-3ffd-50ca-b4dd-86c49407a4b2", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:53.518Z 804e3b095828 Skyformation - 9157518344019267215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 dproc=file events dtz=default-tenant end=1631833253518 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:53.518Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:52.603Z ext_md5Checksum=07123ecb22ebf61f593efe09b307cb58 ext_sharedWith=[] ext_sha256Checksum=6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:35.401169Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:53.518Z\",\"insertionTimestamp\":\"2021-09-16T23:02:35.401169Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"07123ecb22ebf61f593efe09b307cb58\",\"sha256Checksum\":\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T23:00:52.603Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61484_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f0674ff-844f-5bef-96fa-3838e5680bbb", "observed_start_time": "2021-09-16T23:00:53Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8b4565a6-1f89-498b-bd58-e2b514f127a1", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:53.518Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:52.603Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "07123ecb22ebf61f593efe09b307cb58", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T23:00:53.518Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e2f84dc5-c14e-5c9e-8387-08f1c5f04b0d", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df2ba03f-9021-5a29-9af0-4d748fd81b32", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:58:45.240Z 804e3b095828 Skyformation - 1503382521195344208 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 dproc=file events dtz=default-tenant end=1631833125240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:58:45.240Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:58:44.334Z ext_md5Checksum=4d815e327303356a651e8f6309dbddb2 ext_sharedWith=[] ext_sha256Checksum=44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:23.643528Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:58:45.240Z\",\"insertionTimestamp\":\"2021-09-16T23:02:23.643528Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4d815e327303356a651e8f6309dbddb2\",\"sha256Checksum\":\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:58:44.334Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:58:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c9475b8-bc10-5f3a-a528-b8a5ae119847", "observed_start_time": "2021-09-16T22:58:45Z", "count": 1, "observable_type": "ip", "ctr_uuid": "ac383ed4-03ef-4ca4-ab67-7192058fdf33", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:58:45.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:58:44.334Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e", "2021-09-16T23:04:29.763Z", 21, "code42-exfil-share-datatype", "4d815e327303356a651e8f6309dbddb2", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:58:45.240Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb0c66e8-84ad-581a-9f9a-25cebb09004f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dd407cc3-3f46-5b52-b2e8-65ebc0e516ed", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:22.644Z 804e3b095828 Skyformation - 273274590069601610 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 dproc=file events dtz=default-tenant end=1631833402644 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:22.644Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:03:22.573Z ext_md5Checksum=b65499280f2f8d7b7151a3fa44c0a24f ext_sharedWith=[] ext_sha256Checksum=417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:09:05.264820Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:22.644Z\",\"insertionTimestamp\":\"2021-09-16T23:09:05.264820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"b65499280f2f8d7b7151a3fa44c0a24f\",\"sha256Checksum\":\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:03:22.573Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72310698-525a-5a66-a3ee-20a1deca64d3", "observed_start_time": "2021-09-16T23:03:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "78ece332-023a-4318-975d-a6c6d25a3ffb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:22.644Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:03:22.573Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "b65499280f2f8d7b7151a3fa44c0a24f", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:03:22.644Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3a79e39-11d3-53f1-b007-2ec9ea47ae64", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb6020cb-fa6b-58ab-9a08-8c624a73ee5b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "5ae96ef1-5cbf-4007-b97f-f25fa5da8d0c", "observable": {"key": "7dddf0ad-0f0d-44da-b109-ae4251e920c5", "value": "162.222.47.183", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f5f1e5c6", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "ip", "value": "162.222.47.183"}, "type": "warning", "action_id": "84f9c555-287e-4ed0-9caf-8ff5f23a21dc", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "162.222.47.183", "id": "f5f1e5c6", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccea10ce-60a9-516a-adc2-ab30852b2b65", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6af36d6f-8b1a-53f4-b011-92aea968dc13", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-46a69277-670c-5a04-a296-4ce39a3e0361", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-22383b2e-6dd0-5329-baf0-9074acc3b3a0", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-523329ab-5b5f-5357-a64e-8ae0ce7f5456", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3a1fee14-256f-510f-aced-1bf23fb968cd", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-13a0b29e-3db3-522a-a911-be3d684f1f07", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bdd0dfb1-55f1-5bbd-85ab-d589623e4230", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d559-f724-5f37-9187-9d037f75fda3", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d7f8-f5f2-572a-97f2-cc3be5dd47f1", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f33d210-e0ea-5ac6-bb07-7a447613b190", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-40aa9339-7c7b-54de-9324-9377e056d4e2", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9125605f-1264-5799-9b5e-5b14abd34ad1", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66391315-46a4-5cd5-8e36-797ce685401a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:54:34.612Z 804e3b095828 Skyformation - 6165243996888775860 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 dproc=file events dtz=default-tenant end=1631832874612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:54:34.612Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:54:33.697Z ext_md5Checksum=d4d35cde3d316ed4aeedf61797ae50a4 ext_sharedWith=[] ext_sha256Checksum=4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:52.367764Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:54:34.612Z\",\"insertionTimestamp\":\"2021-09-16T22:59:52.367764Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d4d35cde3d316ed4aeedf61797ae50a4\",\"sha256Checksum\":\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:54:33.697Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:54:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a6622b12-9210-5391-b7a2-fb37b77d2330", "observed_start_time": "2021-09-16T22:54:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:54:34.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:54:33.697Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "d4d35cde3d316ed4aeedf61797ae50a4", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:54:34.612Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-49473a25-b7cc-50fd-a762-72b81b536667", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e30b314-9ee6-5218-b163-313d2a5bb546", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:23.419Z 804e3b095828 Skyformation - 7013019646501643272 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 dproc=file events dtz=default-tenant end=1631833043419 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:23.419Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:57:22.503Z ext_md5Checksum=8ea299414f16148eb8517e478d71f64c ext_sharedWith=[] ext_sha256Checksum=e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:13.330998Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:23.419Z\",\"insertionTimestamp\":\"2021-09-16T22:58:13.330998Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8ea299414f16148eb8517e478d71f64c\",\"sha256Checksum\":\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:57:22.503Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-39144912-bbfc-507f-a580-4c709660d4b3", "observed_start_time": "2021-09-16T22:57:23Z", "count": 1, "observable_type": "ip", "ctr_uuid": "a1f10421-bd33-4f50-8324-f03652392c01", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:23.419Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:57:22.503Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e", "2021-09-16T23:00:29.720Z", 21, "code42-exfil-share-datatype", "8ea299414f16148eb8517e478d71f64c", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:57:23.419Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:53.470Z 804e3b095828 Skyformation - 8757910183166367699 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 dproc=file events dtz=default-tenant end=1631832953470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:53.470Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:52.553Z ext_md5Checksum=42095b3368e04ec563ae3cc508cf7b0b ext_sharedWith=[] ext_sha256Checksum=7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:57:12.133407Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:53.470Z\",\"insertionTimestamp\":\"2021-09-16T22:57:12.133407Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"42095b3368e04ec563ae3cc508cf7b0b\",\"sha256Checksum\":\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T22:55:52.553Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cc5937c-087a-5124-b1d8-ee04a483a05a", "observed_start_time": "2021-09-16T22:55:53Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:53.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:52.553Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "42095b3368e04ec563ae3cc508cf7b0b", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T22:55:53.470Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d5460d1-da05-5833-8d33-4461a20b887c", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9c09f4e8-150f-5f53-ba71-50de875db6f2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-30ad332e-3cc8-5056-9b47-f6c67e1be5ad", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:02:22.586Z 804e3b095828 Skyformation - 166520060466349731 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 dproc=file events dtz=default-tenant end=1631833342586 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:02:22.586Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:22.567Z ext_md5Checksum=863d783444c0ecd387c905e9176bf141 ext_sharedWith=[] ext_sha256Checksum=fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:40.014640Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:02:22.586Z\",\"insertionTimestamp\":\"2021-09-16T23:03:40.014640Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"863d783444c0ecd387c905e9176bf141\",\"sha256Checksum\":\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:02:22.567Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:02:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4993fc49-66eb-5a74-8700-2b0bed24b796", "observed_start_time": "2021-09-16T23:02:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "41ce6a98-376a-408e-a126-14b22993139c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:02:22.586Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:22.567Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833", "2021-09-16T23:04:29.764Z", 21, "code42-exfil-share-datatype", "863d783444c0ecd387c905e9176bf141", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:02:22.586Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19f4f026-7d63-5465-9fc6-c1821bd52f8b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-767515fa-6d2b-54eb-b95a-d0ed62b96e67", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8ecbddf4-f6de-5532-b9a4-0c18b11274a2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:56:54.736Z 804e3b095828 Skyformation - 2768134485455653850 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 dproc=file events dtz=default-tenant end=1631833014736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:56:54.736Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:53.830Z ext_md5Checksum=d7bad10ef06efb58306cf290c0666440 ext_sharedWith=[] ext_sha256Checksum=158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:26.353681Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:56:54.736Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353681Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d7bad10ef06efb58306cf290c0666440\",\"sha256Checksum\":\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:56:53.830Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:56:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53659e52-f299-5197-b32b-1b8ec8f96d9d", "observed_start_time": "2021-09-16T22:56:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:56:54.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:53.830Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "d7bad10ef06efb58306cf290c0666440", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:56:54.736Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 8292696232025279500 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=3e524e400c05f8303ada6e81308853048f98951f fsize=348600 msg=Resource [Resource: file :: 3e524e400c05f8303ada6e81308853048f98951f] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=3e524e400c05f8303ada6e81308853048f98951f ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:53:42.201Z ext_md5Checksum=a41a0e7d69c8b117f5a841863ad4d765 ext_sharedWith=[] ext_sha256Checksum=ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=348600 ext_insertionTimestamp=2021-09-16T22:59:26.353728Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T09:53:42.064Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353728Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"3e524e400c05f8303ada6e81308853048f98951f\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":348600,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"a41a0e7d69c8b117f5a841863ad4d765\",\"sha256Checksum\":\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\",\"createTimestamp\":\"2021-09-15T09:53:42.064Z\",\"modifyTimestamp\":\"2021-09-15T09:53:42.201Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b141bf70-a77d-5e91-985f-804abf86f186", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "3e524e400c05f8303ada6e81308853048f98951f", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T09:53:42.201Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae", "2021-09-16T23:00:29.721Z", 348600, "code42-exfil-share-datatype", "a41a0e7d69c8b117f5a841863ad4d765", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T09:53:42.064Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19461a73-1623-57e1-9868-8316927e555a", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:53:34.592Z 804e3b095828 Skyformation - 5887001634145810066 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 dproc=file events dtz=default-tenant end=1631832814592 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:53:34.592Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:53:33.688Z ext_md5Checksum=984ffdd35a8b9587207b594e6a6391b5 ext_sharedWith=[] ext_sha256Checksum=d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:27.640048Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:53:34.592Z\",\"insertionTimestamp\":\"2021-09-16T22:54:27.640048Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"984ffdd35a8b9587207b594e6a6391b5\",\"sha256Checksum\":\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:53:33.688Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:53:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-719c033c-53b7-50ac-bf24-b8c674179635", "observed_start_time": "2021-09-16T22:53:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:53:34.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:53:33.688Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "984ffdd35a8b9587207b594e6a6391b5", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:53:34.592Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:01:54.338Z 804e3b095828 Skyformation - 5372332763298212826 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 dproc=file events dtz=default-tenant end=1631833314338 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:01:54.338Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:01:53.526Z ext_md5Checksum=88b43443da22c25cf6c00f8cd5c67b29 ext_sharedWith=[] ext_sha256Checksum=7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:49.223927Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:01:54.338Z\",\"insertionTimestamp\":\"2021-09-16T23:02:49.223927Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"88b43443da22c25cf6c00f8cd5c67b29\",\"sha256Checksum\":\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T23:01:53.526Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:01:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87711222-9004-58f2-8d70-d87870bdc475", "observed_start_time": "2021-09-16T23:01:54Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8f6040be-aa37-4fc3-8cb4-58d4974ba70b", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:01:54.338Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:01:53.526Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "88b43443da22c25cf6c00f8cd5c67b29", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T23:01:54.338Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-366d1237-2f8f-52da-b57a-6c5aeff7f553", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:00.340Z 804e3b095828 Skyformation - 101121762317961190 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 dproc=file events dtz=default-tenant end=1631832720340 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:00.340Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:59.527Z ext_md5Checksum=a5d9591d6f143c127c28abadbf112417 ext_sharedWith=[] ext_sha256Checksum=ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:59.169359Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:00.340Z\",\"insertionTimestamp\":\"2021-09-16T22:52:59.169359Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"a5d9591d6f143c127c28abadbf112417\",\"sha256Checksum\":\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:51:59.527Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b32701b6-d75d-5708-8872-225eb4b7fbd8", "observed_start_time": "2021-09-16T22:52:00Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:00.340Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:59.527Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "a5d9591d6f143c127c28abadbf112417", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:52:00.340Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-764e8852-01b4-5167-bee9-61f29e31602d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5d48b52e-0e61-5614-b642-183dc0ac545e", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2574907d-cae0-57cc-b985-8815cca5ac1d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-292bec71-c562-577a-a94f-ab54370603eb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1b62b73d-4074-5e2d-aed4-f833528c33c6", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6f1119de-1ca4-5c02-8a48-8d233b6c7f51", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9918c6d9-765e-5d8c-b914-bf67bca5fb25", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-aea8b0e5-235a-5595-8967-8fed89dcca7f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0357656e-2c0b-5454-97fc-aaff38ba6255", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 2046146408369861582 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=4447782c2756c6c447299d79a0e92f6950df5def fsize=3105208 msg=Resource [Resource: file :: 4447782c2756c6c447299d79a0e92f6950df5def] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=4447782c2756c6c447299d79a0e92f6950df5def ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T10:01:33.097Z ext_md5Checksum=3a09012f4a87abb2366ffbf8ca4b70ec ext_sharedWith=[] ext_sha256Checksum=0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3105208 ext_insertionTimestamp=2021-09-16T22:59:26.353746Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T10:01:32.918Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353746Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"4447782c2756c6c447299d79a0e92f6950df5def\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":3105208,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3a09012f4a87abb2366ffbf8ca4b70ec\",\"sha256Checksum\":\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\",\"createTimestamp\":\"2021-09-15T10:01:32.918Z\",\"modifyTimestamp\":\"2021-09-15T10:01:33.097Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6a55a80a-3597-5ff8-8362-b51c90225a52", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "4447782c2756c6c447299d79a0e92f6950df5def", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T10:01:33.097Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862", "2021-09-16T23:02:30.312Z", 3105208, "code42-exfil-share-datatype", "3a09012f4a87abb2366ffbf8ca4b70ec", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T10:01:32.918Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d06e6d6c-2bd7-559d-88b4-d7e4d1a89e9a", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-986981d1-b0c1-5463-b0d6-0f4ac3764bf2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32cf786a-b54f-5f06-8b5f-120a57ee31d5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4092231e-8015-5e72-93c4-007b94515cd6", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb0321a2-a87b-56fe-b5b5-20b9c02a89b4", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32ba2af3-2036-5524-8bbc-ace366ddd95d", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a5f54c34-5c36-5f79-9a0a-cd3443ceaf39", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f3d93fcd-248c-5cf5-b1e3-7ea6efaeb96e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:01.316Z 804e3b095828 Skyformation - 5313767959944003510 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 dproc=file events dtz=default-tenant end=1631832901316 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:01.316Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.503Z ext_md5Checksum=1ed9751c3a3a31efb6d268320a46952a ext_sharedWith=[] ext_sha256Checksum=8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:00.284722Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:01.316Z\",\"insertionTimestamp\":\"2021-09-16T22:56:00.284722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1ed9751c3a3a31efb6d268320a46952a\",\"sha256Checksum\":\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.503Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3ebf614-7a41-54e5-b9ad-6e8b032a6820", "observed_start_time": "2021-09-16T22:55:01Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:01.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:00.503Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "1ed9751c3a3a31efb6d268320a46952a", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T22:55:01.316Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2dfdd205-d548-557a-a188-7105930ba081", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:54.712Z 804e3b095828 Skyformation - 1972555328724139685 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 dproc=file events dtz=default-tenant end=1631832774712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:54.712Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:52:53.806Z ext_md5Checksum=352c6e242381d6d2fd656d2ffe3f05a9 ext_sharedWith=[] ext_sha256Checksum=97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:02.107014Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:54.712Z\",\"insertionTimestamp\":\"2021-09-16T22:54:02.107014Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"352c6e242381d6d2fd656d2ffe3f05a9\",\"sha256Checksum\":\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:52:53.806Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c4b7cfb-ff1f-59b1-93a0-91313fa71439", "observed_start_time": "2021-09-16T22:52:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:54.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:52:53.806Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "352c6e242381d6d2fd656d2ffe3f05a9", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:52:54.712Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53045a88-f6cf-5c78-9b45-7919c983dd54", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb1cd9ba-bcbf-5e7c-bff6-a1f16c9d579f", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:50:54.234Z 804e3b095828 Skyformation - 8299296745530260548 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 dproc=file events dtz=default-tenant end=1631832654234 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:50:54.234Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:50:53.422Z ext_md5Checksum=f9f18977a180437631eb8e969d503075 ext_sharedWith=[] ext_sha256Checksum=cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:51:57.205056Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:50:54.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:57.205056Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"f9f18977a180437631eb8e969d503075\",\"sha256Checksum\":\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T22:50:53.422Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:50:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4162539b-fbca-51cf-b6e4-0a6b26d39962", "observed_start_time": "2021-09-16T22:50:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:50:54.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:50:53.422Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022", "2021-09-16T22:52:32.764Z", 21, "code42-exfil-share-datatype", "f9f18977a180437631eb8e969d503075", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T22:50:54.234Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f011d516-96c8-5ad3-a4b0-533801bdca65", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5817d5a-4a72-58ec-81bc-5a28f291f095", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a05b4e8f-6202-5499-ba07-3718cf72c197", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0de864d-2900-5255-812e-84ad1269fe51", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72a3a626-c665-500e-8f8e-348475fffa7a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b94cad0a-dbae-50b0-8247-6f277b16ef62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4a0c230f-9717-5e9f-a713-a19dc76fff57", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-05bbd72b-3d43-546c-9d35-945d8f707e57", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-948e9f79-dc63-5056-aea8-c68e06874928", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591003e3-d294-5b92-b79e-0b8f876ef71a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9d71ceb9-5bd1-5f54-9ab2-e4c2b17d36ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d53d7240-3aa7-5101-93e4-21c54bf8057d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-76f5923e-90cb-5871-a068-f325c3b14df5", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44f8d201-58cc-59b9-97c3-f246c522fbbf", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "ip", "ctr_uuid": "2b62502c-3789-473e-82ed-1635c31f6ebb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d48070bb-5f27-5c2d-988d-60be6d9b5bf9", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0d1586a-980b-53db-a3bd-54d0da5b1f6c", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-688ee4c8-f77c-5f46-9836-4348af79eaac", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:00.388Z 804e3b095828 Skyformation - 828612858482025544 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 dproc=file events dtz=default-tenant end=1631833020388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:00.388Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:59.574Z ext_md5Checksum=8efa479f501fce555f0d148ed15700ff ext_sharedWith=[] ext_sha256Checksum=7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:23.763511Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:00.388Z\",\"insertionTimestamp\":\"2021-09-16T22:58:23.763511Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8efa479f501fce555f0d148ed15700ff\",\"sha256Checksum\":\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:56:59.574Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16c0c82f-103f-5735-8035-176b59587558", "observed_start_time": "2021-09-16T22:57:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "939e6101-de49-4225-a54a-08c9718d357c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:00.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:59.574Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "8efa479f501fce555f0d148ed15700ff", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:57:00.388Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6c6ba0d2-5cb7-5fb4-b8fa-b1ddcca2b916", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a06655bf-1d69-5734-9385-bedd69f54dde", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:45.200Z 804e3b095828 Skyformation - 4568069721930504518 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 dproc=file events dtz=default-tenant end=1631832945200 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:45.200Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:44.294Z ext_md5Checksum=443f8cb00cc5111045099941ed333760 ext_sharedWith=[] ext_sha256Checksum=0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:57.527022Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:45.200Z\",\"insertionTimestamp\":\"2021-09-16T22:56:57.527022Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"443f8cb00cc5111045099941ed333760\",\"sha256Checksum\":\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:55:44.294Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-88010803-a3bd-5c70-ad45-f8a8ff7c5250", "observed_start_time": "2021-09-16T22:55:45Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:45.200Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:44.294Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "443f8cb00cc5111045099941ed333760", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:55:45.200Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c11cb0c5-6ce6-53e6-990a-3db70bde087e", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-80f4bd35-8d77-5832-82bc-6e851b01ab6a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:00.461Z 804e3b095828 Skyformation - 4596085183447228781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 dproc=file events dtz=default-tenant end=1631833380461 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:00.461Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:59.649Z ext_md5Checksum=3466b521c7f5908415eda20dae617805 ext_sharedWith=[] ext_sha256Checksum=323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:49.475785Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:00.461Z\",\"insertionTimestamp\":\"2021-09-16T23:03:49.475785Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"3466b521c7f5908415eda20dae617805\",\"sha256Checksum\":\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T23:02:59.649Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e0b6d27-4e43-591e-bfda-6a6ab3f6874a", "observed_start_time": "2021-09-16T23:03:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "acc3331d-c05a-44d1-b1e8-276faa688494", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:00.461Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:59.649Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "3466b521c7f5908415eda20dae617805", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T23:03:00.461Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25c017fd-4f45-5914-beb2-bc15656fec2f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-faf386d2-1897-5faa-9341-f6a5fc3c9de2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:51:23.336Z 804e3b095828 Skyformation - 869866733287153498 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 dproc=file events dtz=default-tenant end=1631832683336 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:51:23.336Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:22.415Z ext_md5Checksum=1a91631bf8b9e8f8eebc32c23d289b00 ext_sharedWith=[] ext_sha256Checksum=528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:47.736678Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:51:23.336Z\",\"insertionTimestamp\":\"2021-09-16T22:52:47.736678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1a91631bf8b9e8f8eebc32c23d289b00\",\"sha256Checksum\":\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:51:22.415Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:51:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-906a35f1-be54-5c29-beb5-915c1a319598", "observed_start_time": "2021-09-16T22:51:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:51:23.336Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:22.415Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad", "2021-09-16T22:54:30.602Z", 21, "code42-exfil-share-datatype", "1a91631bf8b9e8f8eebc32c23d289b00", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:51:23.336Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3de744ae-c05b-5cad-b8ba-bf2e42b878c5", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3e1bc410-3631-5811-9b1f-f5830fe141bf", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f6806eb-5784-52b4-93cd-fa869fedf5ed", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d31e6464-3207-5c61-87e3-a41b36564185", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c9f0fbfb-5ab6-542b-a192-b8fd98e410f9", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:01.360Z 804e3b095828 Skyformation - 3885683649781971647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 dproc=file events dtz=default-tenant end=1631833201360 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:01.360Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:00.548Z ext_md5Checksum=6ef406323b86ee9fc610e512e565eceb ext_sharedWith=[] ext_sha256Checksum=a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:01:26.761677Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:01.360Z\",\"insertionTimestamp\":\"2021-09-16T23:01:26.761677Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"6ef406323b86ee9fc610e512e565eceb\",\"sha256Checksum\":\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T23:00:00.548Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5131dad-59b7-5e9c-af0c-bd9880bf8180", "observed_start_time": "2021-09-16T23:00:01Z", "count": 1, "observable_type": "ip", "ctr_uuid": "82ff18f9-a2f2-468e-b769-864955bf9f94", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:01.360Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:00.548Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "6ef406323b86ee9fc610e512e565eceb", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T23:00:01.360Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7debce1-3ffd-50ca-b4dd-86c49407a4b2", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:53.518Z 804e3b095828 Skyformation - 9157518344019267215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 dproc=file events dtz=default-tenant end=1631833253518 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:53.518Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:52.603Z ext_md5Checksum=07123ecb22ebf61f593efe09b307cb58 ext_sharedWith=[] ext_sha256Checksum=6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:35.401169Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:53.518Z\",\"insertionTimestamp\":\"2021-09-16T23:02:35.401169Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"07123ecb22ebf61f593efe09b307cb58\",\"sha256Checksum\":\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T23:00:52.603Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61484_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f0674ff-844f-5bef-96fa-3838e5680bbb", "observed_start_time": "2021-09-16T23:00:53Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8b4565a6-1f89-498b-bd58-e2b514f127a1", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:53.518Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:52.603Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "07123ecb22ebf61f593efe09b307cb58", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T23:00:53.518Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e2f84dc5-c14e-5c9e-8387-08f1c5f04b0d", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df2ba03f-9021-5a29-9af0-4d748fd81b32", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:58:45.240Z 804e3b095828 Skyformation - 1503382521195344208 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 dproc=file events dtz=default-tenant end=1631833125240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:58:45.240Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:58:44.334Z ext_md5Checksum=4d815e327303356a651e8f6309dbddb2 ext_sharedWith=[] ext_sha256Checksum=44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:23.643528Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:58:45.240Z\",\"insertionTimestamp\":\"2021-09-16T23:02:23.643528Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4d815e327303356a651e8f6309dbddb2\",\"sha256Checksum\":\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:58:44.334Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:58:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c9475b8-bc10-5f3a-a528-b8a5ae119847", "observed_start_time": "2021-09-16T22:58:45Z", "count": 1, "observable_type": "ip", "ctr_uuid": "ac383ed4-03ef-4ca4-ab67-7192058fdf33", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:58:45.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:58:44.334Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e", "2021-09-16T23:04:29.763Z", 21, "code42-exfil-share-datatype", "4d815e327303356a651e8f6309dbddb2", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:58:45.240Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb0c66e8-84ad-581a-9f9a-25cebb09004f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dd407cc3-3f46-5b52-b2e8-65ebc0e516ed", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:22.644Z 804e3b095828 Skyformation - 273274590069601610 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 dproc=file events dtz=default-tenant end=1631833402644 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:22.644Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:03:22.573Z ext_md5Checksum=b65499280f2f8d7b7151a3fa44c0a24f ext_sharedWith=[] ext_sha256Checksum=417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:09:05.264820Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:22.644Z\",\"insertionTimestamp\":\"2021-09-16T23:09:05.264820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"b65499280f2f8d7b7151a3fa44c0a24f\",\"sha256Checksum\":\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:03:22.573Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72310698-525a-5a66-a3ee-20a1deca64d3", "observed_start_time": "2021-09-16T23:03:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "78ece332-023a-4318-975d-a6c6d25a3ffb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:22.644Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:03:22.573Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "b65499280f2f8d7b7151a3fa44c0a24f", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:03:22.644Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3a79e39-11d3-53f1-b007-2ec9ea47ae64", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb6020cb-fa6b-58ab-9a08-8c624a73ee5b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f5f1e5c6", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "ip", "value": "162.222.47.183"}, "type": "warning", "action_id": "84f9c555-287e-4ed0-9caf-8ff5f23a21dc", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "ip", "value": "162.222.47.183", "id": "f5f1e5c6"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-e15f8317-1d85-47bc-a66d-f29278645b09", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T08:32:32.184Z", "nodePositions": {"f5f1e5c6": {"y": 6.593275760293544e-09, "category": "ip", "isAsset": false, "index": 0, "modules": ["Exabeam"], "5:ip": true, "value": "162.222.47.183", "type": "ip", "state": "ok", "disposition": 5, "disposition_name": "Unknown", "vx": 0, "vy": 0, "id": "f5f1e5c6", "investigated": true, "x": 0.04662150000336455}}, "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
+{"schema_version": "1.1.3", "type": "investigation", "search-txt": "ip:\"162.222.47.183\"", "actions": "[{\"arg\":\"162.222.47.183\",\"created\":\"2021-09-17T08:28:35.340Z\",\"id\":\"collect-27650878\",\"result\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:28:35.548Z\",\"uuid\":\"4565fef0-1b78-4e97-9075-aae933cde512\"},{\"arg\":{\"type\":\"ip\",\"value\":\"162.222.47.183\"},\"created\":\"2021-09-17T08:28:35.567Z\",\"id\":\"investigate-ecd30f91\",\"result\":{\"data\":[{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337062Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Threading.Channels.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"523c15d2368a36583c90119fd9f52fe7\\\",\\\"sha256Checksum\\\":\\\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.230Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-cb6020cb-fa6b-58ab-9a08-8c624a73ee5b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Threading.Channels.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.230Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"2021-09-16T22:52:32.766Z\",45952,\"code42-exfil-share-datatype\",\"523c15d2368a36583c90119fd9f52fe7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.411Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314807Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-libraryloader-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"94d4e2bb8654b77c41cd35574e3f0299\\\",\\\"sha256Checksum\\\":\\\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.401Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.402Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d3a79e39-11d3-53f1-b007-2ec9ea47ae64\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.411Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.402Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"2021-09-16T22:52:32.762Z\",12664,\"code42-exfil-share-datatype\",\"94d4e2bb8654b77c41cd35574e3f0299\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.411Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.401Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:03:22.644Z 804e3b095828 Skyformation - 273274590069601610 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 dproc=file events dtz=default-tenant end=1631833402644 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:22.644Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:03:22.573Z ext_md5Checksum=b65499280f2f8d7b7151a3fa44c0a24f ext_sharedWith=[] ext_sha256Checksum=417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:09:05.264820Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:03:22.644Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:09:05.264820Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"b65499280f2f8d7b7151a3fa44c0a24f\\\",\\\"sha256Checksum\\\":\\\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:03:22.573Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-72310698-525a-5a66-a3ee-20a1deca64d3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:03:22.644Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:03:22.573Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\",\"2021-09-16T23:38:30.159Z\",21,\"code42-exfil-share-datatype\",\"b65499280f2f8d7b7151a3fa44c0a24f\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T23:03:22.644Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.307Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":53112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"0bf7eed5f18b294cd26d33a71c831237\\\",\\\"sha256Checksum\\\":\\\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.377Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.098Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-dd407cc3-3f46-5b52-b2e8-65ebc0e516ed\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.307Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.098Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"2021-09-16T22:52:32.764Z\",53112,\"code42-exfil-share-datatype\",\"0bf7eed5f18b294cd26d33a71c831237\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.307Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.377Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.246Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336975Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Buffers.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":20856,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ecdfe8ede869d2ccc6bf99981ea96400\\\",\\\"sha256Checksum\\\":\\\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.607Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-eb0c66e8-84ad-581a-9f9a-25cebb09004f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.246Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Buffers.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.607Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"2021-09-16T22:52:32.759Z\",20856,\"code42-exfil-share-datatype\",\"ecdfe8ede869d2ccc6bf99981ea96400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.246Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:58:45.240Z 804e3b095828 Skyformation - 1503382521195344208 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 dproc=file events dtz=default-tenant end=1631833125240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:58:45.240Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:58:44.334Z ext_md5Checksum=4d815e327303356a651e8f6309dbddb2 ext_sharedWith=[] ext_sha256Checksum=44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:23.643528Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:58:45.240Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:02:23.643528Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/eric.strauss/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"4d815e327303356a651e8f6309dbddb2\\\",\\\"sha256Checksum\\\":\\\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:40:10.269Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:58:44.334Z\\\",\\\"deviceUserName\\\":\\\"eric.strauss@c42se.com\\\",\\\"osHostName\\\":\\\"ERICS-OFFICIAL-\\\",\\\"domainName\\\":\\\"ERICS-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:10bc:b19:239f:6063%eth4\\\",\\\"172.20.65.70\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"949085489986461736\\\",\\\"userUid\\\":\\\"886924612955838070\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"eric.strauss\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1c9475b8-bc10-5f3a-a528-b8a5ae119847\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:58:45.240Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ERICS-OFFICIAL-\",\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:58:44.334Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"eric.strauss\",\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\",\"2021-09-16T23:04:29.763Z\",21,\"code42-exfil-share-datatype\",\"4d815e327303356a651e8f6309dbddb2\",57848,\"false\",\"TRUE\",\"C:/Users/eric.strauss/\",\"Document\",\"Administrators\",\"FILE\",\"886924612955838070\",\"2021-09-16T22:58:45.240Z\",\"eric.strauss@c42se.com\",\"eric.strauss@c42se.com\",\"2020-08-14T13:40:10.269Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.134Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336077Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.Design.Editors.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":78200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3feb5a138ff178c1dd47a8a99f394517\\\",\\\"sha256Checksum\\\":\\\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.771Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-df2ba03f-9021-5a29-9af0-4d748fd81b32\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.134Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.Design.Editors.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.771Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"2021-09-16T22:52:32.759Z\",78200,\"code42-exfil-share-datatype\",\"3feb5a138ff178c1dd47a8a99f394517\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.134Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.207Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314378Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":729448,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"4bb5499613eca0fe0670a3cab2d5318e\\\",\\\"sha256Checksum\\\":\\\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.205Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.217Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-e2f84dc5-c14e-5c9e-8387-08f1c5f04b0d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.207Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.217Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"2021-09-16T22:52:32.764Z\",729448,\"code42-exfil-share-datatype\",\"4bb5499613eca0fe0670a3cab2d5318e\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.207Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.205Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:00:53.518Z 804e3b095828 Skyformation - 9157518344019267215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 dproc=file events dtz=default-tenant end=1631833253518 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:53.518Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:52.603Z ext_md5Checksum=07123ecb22ebf61f593efe09b307cb58 ext_sharedWith=[] ext_sha256Checksum=6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:35.401169Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:00:53.518Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:02:35.401169Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/alex.cooper/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"07123ecb22ebf61f593efe09b307cb58\\\",\\\"sha256Checksum\\\":\\\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:57:46.726Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:00:52.603Z\\\",\\\"deviceUserName\\\":\\\"alex.cooper@c42se.com\\\",\\\"osHostName\\\":\\\"ALEXC-OFFICIAL-\\\",\\\"domainName\\\":\\\"ALEXC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.65.62\\\",\\\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944595906935824510\\\",\\\"userUid\\\":\\\"925771637667629373\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"alex.cooper\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_14_61484_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0f0674ff-844f-5bef-96fa-3838e5680bbb\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:00:53.518Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ALEXC-OFFICIAL-\",\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:00:52.603Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"alex.cooper\",\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\",\"2021-09-16T23:04:29.765Z\",21,\"code42-exfil-share-datatype\",\"07123ecb22ebf61f593efe09b307cb58\",57848,\"false\",\"TRUE\",\"C:/Users/alex.cooper/\",\"Document\",\"Administrators\",\"FILE\",\"925771637667629373\",\"2021-09-16T23:00:53.518Z\",\"alex.cooper@c42se.com\",\"alex.cooper@c42se.com\",\"2020-08-14T13:57:46.726Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336139Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f96e04ea6cbce1560b83bff7a42f29b0\\\",\\\"sha256Checksum\\\":\\\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a7debce1-3ffd-50ca-b4dd-86c49407a4b2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"2021-09-16T22:52:32.763Z\",14224,\"code42-exfil-share-datatype\",\"f96e04ea6cbce1560b83bff7a42f29b0\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:00:01.360Z 804e3b095828 Skyformation - 3885683649781971647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 dproc=file events dtz=default-tenant end=1631833201360 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:01.360Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:00.548Z ext_md5Checksum=6ef406323b86ee9fc610e512e565eceb ext_sharedWith=[] ext_sha256Checksum=a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:01:26.761677Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:00:01.360Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:01:26.761677Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/lisa.anderson/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"6ef406323b86ee9fc610e512e565eceb\\\",\\\"sha256Checksum\\\":\\\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\\\",\\\"createTimestamp\\\":\\\"2020-08-20T15:35:40.032Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:00:00.548Z\\\",\\\"deviceUserName\\\":\\\"lisa.anderson@example.edu\\\",\\\"osHostName\\\":\\\"LISAA-OFFICIAL-\\\",\\\"domainName\\\":\\\"LISAA-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.165\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968364480722593364\\\",\\\"userUid\\\":\\\"966200991614299301\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"lisa.anderson\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_0_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b5131dad-59b7-5e9c-af0c-bd9880bf8180\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:00:01.360Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"LISAA-OFFICIAL-\",\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:00:00.548Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"lisa.anderson\",\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\",\"2021-09-16T23:02:30.314Z\",21,\"code42-exfil-share-datatype\",\"6ef406323b86ee9fc610e512e565eceb\",57848,\"false\",\"TRUE\",\"C:/Users/lisa.anderson/\",\"Document\",\"Administrators\",\"FILE\",\"966200991614299301\",\"2021-09-16T23:00:01.360Z\",\"lisa.anderson@example.edu\",\"lisa.anderson@example.edu\",\"2020-08-20T15:35:40.032Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.268Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334477Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\\\",\\\"fileName\\\":\\\"PresentationUI.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":45448,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c9ea75b02fd1d01f87d8ca868c1ec833\\\",\\\"sha256Checksum\\\":\\\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.111Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:47.879Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c9f0fbfb-5ab6-542b-a192-b8fd98e410f9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:18.268Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationUI.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:47.879Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"2021-09-16T22:52:32.759Z\",45448,\"code42-exfil-share-datatype\",\"c9ea75b02fd1d01f87d8ca868c1ec833\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.268Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.111Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:47.204Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315494Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\\\",\\\"fileName\\\":\\\"OneDriveSetup.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47927168,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"82a458793a4b821e54408db1a0ae4124\\\",\\\"sha256Checksum\\\":\\\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\\\",\\\"createTimestamp\\\":\\\"2021-09-14T09:30:08.167Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-14T09:29:55.334Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d31e6464-3207-5c61-87e3-a41b36564185\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:47.204Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"OneDriveSetup.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-14T09:29:55.334Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"2021-09-16T22:52:32.761Z\",47927168,\"code42-exfil-share-datatype\",\"82a458793a4b821e54408db1a0ae4124\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:47.204Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-14T09:30:08.167Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.089Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336572Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Castle.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":442368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2fba45e50a9fb187e9873416bc6b4400\\\",\\\"sha256Checksum\\\":\\\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.137Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:05.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0f6806eb-5784-52b4-93cd-fa869fedf5ed\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.089Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Castle.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:05.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"2021-09-16T22:52:32.760Z\",442368,\"code42-exfil-share-datatype\",\"2fba45e50a9fb187e9873416bc6b4400\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.089Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.137Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.184Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337194Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"libnanoapimanaged.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":7197696,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff0f788645e78335908728321c10454b\\\",\\\"sha256Checksum\\\":\\\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.638Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.359Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3e1bc410-3631-5811-9b1f-f5830fe141bf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.184Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"libnanoapimanaged.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.359Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"2021-09-16T22:52:32.759Z\",7197696,\"code42-exfil-share-datatype\",\"ff0f788645e78335908728321c10454b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.184Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.638Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315122Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-string-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f340a17ac423c71767d66973f69d05c8\\\",\\\"sha256Checksum\\\":\\\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.882Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.883Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3de744ae-c05b-5cad-b8ba-bf2e42b878c5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-string-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.883Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"2021-09-16T22:52:32.761Z\",18296,\"code42-exfil-share-datatype\",\"f340a17ac423c71767d66973f69d05c8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.882Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:51:23.336Z 804e3b095828 Skyformation - 869866733287153498 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 dproc=file events dtz=default-tenant end=1631832683336 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:51:23.336Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:22.415Z ext_md5Checksum=1a91631bf8b9e8f8eebc32c23d289b00 ext_sharedWith=[] ext_sha256Checksum=528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:47.736678Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:51:23.336Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:52:47.736678Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"1a91631bf8b9e8f8eebc32c23d289b00\\\",\\\"sha256Checksum\\\":\\\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:51:22.415Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-906a35f1-be54-5c29-beb5-915c1a319598\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:51:23.336Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:51:22.415Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\",\"2021-09-16T22:54:30.602Z\",21,\"code42-exfil-share-datatype\",\"1a91631bf8b9e8f8eebc32c23d289b00\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T22:51:23.336Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337345Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxComm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":22965248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3bf2cfa3eeecd650c9564a2b6543b398\\\",\\\"sha256Checksum\\\":\\\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:51.480Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-faf386d2-1897-5faa-9341-f6a5fc3c9de2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxComm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:51.480Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"2021-09-16T22:52:32.760Z\",22965248,\"code42-exfil-share-datatype\",\"3bf2cfa3eeecd650c9564a2b6543b398\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.136Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336703Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"987db26b17dc24d5b7dec25db1c103c2\\\",\\\"sha256Checksum\\\":\\\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.839Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-25c017fd-4f45-5914-beb2-bc15656fec2f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.136Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.839Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"2021-09-16T22:52:32.759Z\",18296,\"code42-exfil-share-datatype\",\"987db26b17dc24d5b7dec25db1c103c2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.136Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:03:00.461Z 804e3b095828 Skyformation - 4596085183447228781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 dproc=file events dtz=default-tenant end=1631833380461 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:00.461Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:59.649Z ext_md5Checksum=3466b521c7f5908415eda20dae617805 ext_sharedWith=[] ext_sha256Checksum=323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:49.475785Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:03:00.461Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:03:49.475785Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/keri.prichard/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"3466b521c7f5908415eda20dae617805\\\",\\\"sha256Checksum\\\":\\\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:28:08.235Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:02:59.649Z\\\",\\\"deviceUserName\\\":\\\"keri.prichard@example.edu\\\",\\\"osHostName\\\":\\\"KERIP-OFFICIAL-\\\",\\\"domainName\\\":\\\"KERIP-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.164\\\",\\\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423512854283047\\\",\\\"userUid\\\":\\\"966201252013468837\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"keri.prichard\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7e0b6d27-4e43-591e-bfda-6a6ab3f6874a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:03:00.461Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KERIP-OFFICIAL-\",\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:02:59.649Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"keri.prichard\",\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\",\"2021-09-16T23:38:30.159Z\",21,\"code42-exfil-share-datatype\",\"3466b521c7f5908415eda20dae617805\",57848,\"false\",\"TRUE\",\"C:/Users/keri.prichard/\",\"Document\",\"Administrators\",\"FILE\",\"966201252013468837\",\"2021-09-16T23:03:00.461Z\",\"keri.prichard@example.edu\",\"keri.prichard@example.edu\",\"2020-08-21T01:28:08.235Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.132Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334824Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b81fa8bc88192c7febd2479638aea569\\\",\\\"sha256Checksum\\\":\\\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.158Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.113Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-80f4bd35-8d77-5832-82bc-6e851b01ab6a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.132Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.113Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"b81fa8bc88192c7febd2479638aea569\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.132Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.158Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:31.153Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337748Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"msoimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11529088,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3f7fb1d32a7be58e65dc615a9553e183\\\",\\\"sha256Checksum\\\":\\\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:53.564Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-c11cb0c5-6ce6-53e6-990a-3db70bde087e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:31.153Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msoimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:53.564Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"2021-09-16T22:52:32.766Z\",11529088,\"code42-exfil-share-datatype\",\"3f7fb1d32a7be58e65dc615a9553e183\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:31.153Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:45.200Z 804e3b095828 Skyformation - 4568069721930504518 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 dproc=file events dtz=default-tenant end=1631832945200 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:45.200Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:44.294Z ext_md5Checksum=443f8cb00cc5111045099941ed333760 ext_sharedWith=[] ext_sha256Checksum=0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:57.527022Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:45.200Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:57.527022Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/eric.strauss/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"443f8cb00cc5111045099941ed333760\\\",\\\"sha256Checksum\\\":\\\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:40:10.269Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:44.294Z\\\",\\\"deviceUserName\\\":\\\"eric.strauss@c42se.com\\\",\\\"osHostName\\\":\\\"ERICS-OFFICIAL-\\\",\\\"domainName\\\":\\\"ERICS-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:10bc:b19:239f:6063%eth4\\\",\\\"172.20.65.70\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"949085489986461736\\\",\\\"userUid\\\":\\\"886924612955838070\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"eric.strauss\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-88010803-a3bd-5c70-ad45-f8a8ff7c5250\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:45.200Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ERICS-OFFICIAL-\",\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:55:44.294Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"eric.strauss\",\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\",\"2021-09-16T22:58:29.756Z\",21,\"code42-exfil-share-datatype\",\"443f8cb00cc5111045099941ed333760\",57848,\"false\",\"TRUE\",\"C:/Users/eric.strauss/\",\"Document\",\"Administrators\",\"FILE\",\"886924612955838070\",\"2021-09-16T22:55:45.200Z\",\"eric.strauss@c42se.com\",\"eric.strauss@c42se.com\",\"2020-08-14T13:40:10.269Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.250Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336984Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Collections.Immutable.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":302216,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d8203aedaabeac1e606cd0e2af397d01\\\",\\\"sha256Checksum\\\":\\\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.294Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a06655bf-1d69-5734-9385-bedd69f54dde\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.250Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Collections.Immutable.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.294Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"2021-09-16T22:52:32.760Z\",302216,\"code42-exfil-share-datatype\",\"d8203aedaabeac1e606cd0e2af397d01\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.250Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.201Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314355Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.WebSocketClient.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1103208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"e93c70df0faa580e8272c9c833238352\\\",\\\"sha256Checksum\\\":\\\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.457Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.468Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6c6ba0d2-5cb7-5fb4-b8fa-b1ddcca2b916\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.201Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.WebSocketClient.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.468Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"2021-09-16T22:52:32.763Z\",1103208,\"code42-exfil-share-datatype\",\"e93c70df0faa580e8272c9c833238352\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.201Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.457Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:57:00.388Z 804e3b095828 Skyformation - 828612858482025544 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 dproc=file events dtz=default-tenant end=1631833020388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:00.388Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:59.574Z ext_md5Checksum=8efa479f501fce555f0d148ed15700ff ext_sharedWith=[] ext_sha256Checksum=7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:23.763511Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:57:00.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:58:23.763511Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/keri.prichard/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"8efa479f501fce555f0d148ed15700ff\\\",\\\"sha256Checksum\\\":\\\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:28:08.235Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:56:59.574Z\\\",\\\"deviceUserName\\\":\\\"keri.prichard@example.edu\\\",\\\"osHostName\\\":\\\"KERIP-OFFICIAL-\\\",\\\"domainName\\\":\\\"KERIP-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.164\\\",\\\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423512854283047\\\",\\\"userUid\\\":\\\"966201252013468837\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"keri.prichard\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-16c0c82f-103f-5735-8035-176b59587558\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:57:00.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KERIP-OFFICIAL-\",\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:56:59.574Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"keri.prichard\",\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\",\"2021-09-16T23:00:29.721Z\",21,\"code42-exfil-share-datatype\",\"8efa479f501fce555f0d148ed15700ff\",57848,\"false\",\"TRUE\",\"C:/Users/keri.prichard/\",\"Document\",\"Administrators\",\"FILE\",\"966201252013468837\",\"2021-09-16T22:57:00.388Z\",\"keri.prichard@example.edu\",\"keri.prichard@example.edu\",\"2020-08-21T01:28:08.235Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.248Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315215Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"ipcfile.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":519040,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c0ae22d4188ac20d9d83dd26ad0aabe8\\\",\\\"sha256Checksum\\\":\\\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.591Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.599Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-688ee4c8-f77c-5f46-9836-4348af79eaac\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:44.248Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ipcfile.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.599Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"2021-09-16T22:52:32.766Z\",519040,\"code42-exfil-share-datatype\",\"c0ae22d4188ac20d9d83dd26ad0aabe8\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.248Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.591Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.199Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315098Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-runtime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":16248,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"439e89fa2d4882b639df5e8ec7a96ba3\\\",\\\"sha256Checksum\\\":\\\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.868Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a0d1586a-980b-53db-a3bd-54d0da5b1f6c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.199Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-runtime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"2021-09-16T22:52:32.759Z\",16248,\"code42-exfil-share-datatype\",\"439e89fa2d4882b639df5e8ec7a96ba3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.199Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.868Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.194Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336844Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Options.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":50552,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"89c3d573e8b2e5a71850a69f14fff1a5\\\",\\\"sha256Checksum\\\":\\\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d48070bb-5f27-5c2d-988d-60be6d9b5bf9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.194Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Options.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"2021-09-16T22:52:32.763Z\",50552,\"code42-exfil-share-datatype\",\"89c3d573e8b2e5a71850a69f14fff1a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.194Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:59:02.980Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:01:17.003636Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661803,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"7a691f6c406d52373ad2c62e2f480bb3\\\",\\\"sha256Checksum\\\":\\\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:59:00.670Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_1_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-44f8d201-58cc-59b9-97c3-f246c522fbbf\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:59:02.980Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:59:00.670Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"2021-09-16T23:02:30.314Z\",6661803,\"code42-exfil-share-datatype\",\"7a691f6c406d52373ad2c62e2f480bb3\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:59:02.980Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.391Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314714Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-debug-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"5c7fa0b68872c2d1d3f10601e3af2341\\\",\\\"sha256Checksum\\\":\\\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.181Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.185Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-76f5923e-90cb-5871-a068-f325c3b14df5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.391Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-debug-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.185Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"2021-09-16T22:52:32.758Z\",11648,\"code42-exfil-share-datatype\",\"5c7fa0b68872c2d1d3f10601e3af2341\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.391Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.181Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336992Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.ComponentModel.Annotations.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":43152,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"7d3d14b0417a68ccdd9c51972ff74863\\\",\\\"sha256Checksum\\\":\\\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.619Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d53d7240-3aa7-5101-93e4-21c54bf8057d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.ComponentModel.Annotations.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"2021-09-16T22:52:32.766Z\",43152,\"code42-exfil-share-datatype\",\"7d3d14b0417a68ccdd9c51972ff74863\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.619Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.409Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314795Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-interlocked-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11640,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"72413f1254d09348dab76ee4e5e2e300\\\",\\\"sha256Checksum\\\":\\\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.394Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.395Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9d71ceb9-5bd1-5f54-9ab2-e4c2b17d36ec\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.409Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-interlocked-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.395Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"2021-09-16T22:52:32.767Z\",11640,\"code42-exfil-share-datatype\",\"72413f1254d09348dab76ee4e5e2e300\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.409Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.394Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.322Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335199Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"WindowsFormsIntegration.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\\\",\\\"sha256Checksum\\\":\\\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.379Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-591003e3-d294-5b92-b79e-0b8f876ef71a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.322Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"WindowsFormsIntegration.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.379Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"2021-09-16T22:52:32.766Z\",14736,\"code42-exfil-share-datatype\",\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.322Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:39.345Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337890Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSync.Resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":2382208,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"3c69d0029f27ff52a1b4d3f70fef0d2b\\\",\\\"sha256Checksum\\\":\\\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:12.114Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:12.146Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-948e9f79-dc63-5056-aea8-c68e06874928\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:39.345Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSync.Resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:12.146Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"2021-09-16T22:52:32.760Z\",2382208,\"code42-exfil-share-datatype\",\"3c69d0029f27ff52a1b4d3f70fef0d2b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:39.345Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:12.114Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.278Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336341Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"UIAutomationClient.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":18320,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e55e4041d9e6f6bf0d3738a25255913\\\",\\\"sha256Checksum\\\":\\\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.271Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-05bbd72b-3d43-546c-9d35-945d8f707e57\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.278Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationClient.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.271Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"2021-09-16T22:52:32.762Z\",18320,\"code42-exfil-share-datatype\",\"5e55e4041d9e6f6bf0d3738a25255913\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.278Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:46.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315412Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\\\",\\\"fileName\\\":\\\"qtquickextrasplugin.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":80256,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"68118cdf04def6c50804a705773bbd9b\\\",\\\"sha256Checksum\\\":\\\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:21.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:21.223Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4a0c230f-9717-5e9f-a713-a19dc76fff57\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:46.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"qtquickextrasplugin.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:21.223Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"2021-09-16T22:52:32.765Z\",80256,\"code42-exfil-share-datatype\",\"68118cdf04def6c50804a705773bbd9b\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:46.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:21.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.233Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336279Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":35728,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1b4ed26020dd106aaf2e1a6265dce9d\\\",\\\"sha256Checksum\\\":\\\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.627Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.224Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b94cad0a-dbae-50b0-8247-6f277b16ef62\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.233Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.224Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"2021-09-16T22:52:32.760Z\",35728,\"code42-exfil-share-datatype\",\"e1b4ed26020dd106aaf2e1a6265dce9d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.233Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.627Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.330Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335818Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15736,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1b1e7bc04757e673ca956218abdb7959\\\",\\\"sha256Checksum\\\":\\\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.393Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:50.144Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-72a3a626-c665-500e-8f8e-348475fffa7a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.330Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:50.144Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"2021-09-16T22:52:32.766Z\",15736,\"code42-exfil-share-datatype\",\"1b1e7bc04757e673ca956218abdb7959\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.330Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.393Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.241Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335618Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d1b7ec7c3a95ec1e84117bfef59f1ab6\\\",\\\"sha256Checksum\\\":\\\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.863Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a0de864d-2900-5255-812e-84ad1269fe51\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.241Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.863Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"2021-09-16T22:52:32.765Z\",15240,\"code42-exfil-share-datatype\",\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.241Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.295Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335136Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Input.Manipulations.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":15224,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5a9f0b52ac62762bd03d34c0e410acb3\\\",\\\"sha256Checksum\\\":\\\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.316Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a05b4e8f-6202-5499-ba07-3718cf72c197\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.295Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Input.Manipulations.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.316Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"2021-09-16T22:52:32.760Z\",15224,\"code42-exfil-share-datatype\",\"5a9f0b52ac62762bd03d34c0e410acb3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.295Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:30.321Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337686Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"inktotextengineimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":346480,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3579a936952da7532c4358700bed43a3\\\",\\\"sha256Checksum\\\":\\\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.183Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.674Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b5817d5a-4a72-58ec-81bc-5a28f291f095\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:30.321Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"inktotextengineimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.674Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"2021-09-16T22:52:32.762Z\",346480,\"code42-exfil-share-datatype\",\"3579a936952da7532c4358700bed43a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:30.321Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.183Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.216Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337256Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"libnanoapi.lib\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Archive\\\",\\\"fileCategoryByBytes\\\":\\\"Archive\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":1570,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"bb41b302cf1325c4f459616da8e605a2\\\",\\\"sha256Checksum\\\":\\\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.468Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:30.262Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-archive\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f011d516-96c8-5ad3-a4b0-533801bdca65\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.216Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"libnanoapi.lib\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:30.262Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"2021-09-16T22:52:32.763Z\",1570,\"code42-exfil-share-datatype\",\"bb41b302cf1325c4f459616da8e605a2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"Archive\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.216Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.468Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:50:54.234Z 804e3b095828 Skyformation - 8299296745530260548 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 dproc=file events dtz=default-tenant end=1631832654234 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:50:54.234Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:50:53.422Z ext_md5Checksum=f9f18977a180437631eb8e969d503075 ext_sharedWith=[] ext_sha256Checksum=cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:51:57.205056Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:50:54.234Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:57.205056Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/russell.martin/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"f9f18977a180437631eb8e969d503075\\\",\\\"sha256Checksum\\\":\\\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:27:36.760Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:50:53.422Z\\\",\\\"deviceUserName\\\":\\\"russell.martin@example.edu\\\",\\\"osHostName\\\":\\\"RUSSELLM-OFFICI\\\",\\\"domainName\\\":\\\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.162\\\",\\\"fe80:0:0:0:49f7:c945:904:10d5%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423453587837882\\\",\\\"userUid\\\":\\\"966201050854648997\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"russell.martin\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4162539b-fbca-51cf-b6e4-0a6b26d39962\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:50:54.234Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"RUSSELLM-OFFICI\",\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:50:53.422Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"russell.martin\",\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\",\"2021-09-16T22:52:32.764Z\",21,\"code42-exfil-share-datatype\",\"f9f18977a180437631eb8e969d503075\",57848,\"false\",\"TRUE\",\"C:/Users/russell.martin/\",\"Document\",\"Administrators\",\"FILE\",\"966201050854648997\",\"2021-09-16T22:50:54.234Z\",\"russell.martin@example.edu\",\"russell.martin@example.edu\",\"2020-08-21T01:27:36.760Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.178Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337186Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"YourPhoneServer.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":47104,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"640c3b31c496531dacc0a8fb830fd457\\\",\\\"sha256Checksum\\\":\\\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.653Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.484Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bb1cd9ba-bcbf-5e7c-bff6-a1f16c9d579f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.178Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneServer.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.484Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"2021-09-16T22:52:32.765Z\",47104,\"code42-exfil-share-datatype\",\"640c3b31c496531dacc0a8fb830fd457\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.178Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.653Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:18.328Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334616Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c329416237b094613fc5f5a64b2ecbce\\\",\\\"sha256Checksum\\\":\\\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.564Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.664Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-53045a88-f6cf-5c78-9b45-7919c983dd54\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:18.328Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.664Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"2021-09-16T22:52:32.765Z\",30720,\"code42-exfil-share-datatype\",\"c329416237b094613fc5f5a64b2ecbce\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:18.328Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.564Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:52:54.712Z 804e3b095828 Skyformation - 1972555328724139685 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 dproc=file events dtz=default-tenant end=1631832774712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:54.712Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:52:53.806Z ext_md5Checksum=352c6e242381d6d2fd656d2ffe3f05a9 ext_sharedWith=[] ext_sha256Checksum=97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:02.107014Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:52:54.712Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:54:02.107014Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/michelle.goldberg/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"352c6e242381d6d2fd656d2ffe3f05a9\\\",\\\"sha256Checksum\\\":\\\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:53:22.049Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:52:53.806Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-7c4b7cfb-ff1f-59b1-93a0-91313fa71439\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:52:54.712Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:52:53.806Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"michelle.goldberg\",\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\",\"2021-09-16T22:54:30.604Z\",21,\"code42-exfil-share-datatype\",\"352c6e242381d6d2fd656d2ffe3f05a9\",57848,\"false\",\"TRUE\",\"C:/Users/michelle.goldberg/\",\"Document\",\"Administrators\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:52:54.712Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2020-08-14T14:53:22.049Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.130Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336068Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17296,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d7b70d7ae944e13019a7796eb46e966c\\\",\\\"sha256Checksum\\\":\\\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.755Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2dfdd205-d548-557a-a188-7105930ba081\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.130Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.755Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"2021-09-16T22:52:32.759Z\",17296,\"code42-exfil-share-datatype\",\"d7b70d7ae944e13019a7796eb46e966c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.130Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:01.316Z 804e3b095828 Skyformation - 5313767959944003510 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 dproc=file events dtz=default-tenant end=1631832901316 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:01.316Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.503Z ext_md5Checksum=1ed9751c3a3a31efb6d268320a46952a ext_sharedWith=[] ext_sha256Checksum=8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:00.284722Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:01.316Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:00.284722Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/lisa.anderson/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"1ed9751c3a3a31efb6d268320a46952a\\\",\\\"sha256Checksum\\\":\\\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\\\",\\\"createTimestamp\\\":\\\"2020-08-20T15:35:40.032Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:00.503Z\\\",\\\"deviceUserName\\\":\\\"lisa.anderson@example.edu\\\",\\\"osHostName\\\":\\\"LISAA-OFFICIAL-\\\",\\\"domainName\\\":\\\"LISAA-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.165\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968364480722593364\\\",\\\"userUid\\\":\\\"966200991614299301\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"lisa.anderson\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_19_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d3ebf614-7a41-54e5-b9ad-6e8b032a6820\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:01.316Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"LISAA-OFFICIAL-\",\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:55:00.503Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"lisa.anderson\",\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\",\"2021-09-16T22:58:29.756Z\",21,\"code42-exfil-share-datatype\",\"1ed9751c3a3a31efb6d268320a46952a\",57848,\"false\",\"TRUE\",\"C:/Users/lisa.anderson/\",\"Document\",\"Administrators\",\"FILE\",\"966200991614299301\",\"2021-09-16T22:55:01.316Z\",\"lisa.anderson@example.edu\",\"lisa.anderson@example.edu\",\"2020-08-20T15:35:40.032Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.133Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336694Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.AspNetCore.SignalR.Client.Core.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":144760,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1edab455db5fec76120731d3c11cb67\\\",\\\"sha256Checksum\\\":\\\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.755Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.823Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-f3d93fcd-248c-5cf5-b1e3-7ea6efaeb96e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.133Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.823Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"2021-09-16T22:52:32.761Z\",144760,\"code42-exfil-share-datatype\",\"e1edab455db5fec76120731d3c11cb67\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.133Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.755Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.388Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314702Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-core-datetime-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":11648,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"98cfeaa96192d5dccc4a1852f6754fd5\\\",\\\"sha256Checksum\\\":\\\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.142Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.155Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a5f54c34-5c36-5f79-9a0a-cd3443ceaf39\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.388Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-core-datetime-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.155Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"2021-09-16T22:52:32.762Z\",11648,\"code42-exfil-share-datatype\",\"98cfeaa96192d5dccc4a1852f6754fd5\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.388Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.142Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:02.481Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:55:54.847061Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"/Users/kathy.kane/.scripts/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":6661687,\\\"fileOwner\\\":\\\"kathy.kane\\\",\\\"md5Checksum\\\":\\\"3df126f4a090da12f2c29b6e5c1c29da\\\",\\\"sha256Checksum\\\":\\\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\\\",\\\"createTimestamp\\\":\\\"2020-08-12T14:09:19.657Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:00.206Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":\\\"KATHYK-OSX (2)\\\",\\\"domainName\\\":\\\"localhost\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"0:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:0:0:0:1%lo0\\\",\\\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\\\",\\\"172.20.64.15\\\",\\\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\\\",\\\"127.0.0.1\\\",\\\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\\\"],\\\"deviceUid\\\":\\\"950699765112475617\\\",\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"kathy.kane\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-32ba2af3-2036-5524-8bbc-ace366ddd95d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:02.481Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KATHYK-OSX (2)\",\"localhost\",\"2021-09-16T22:55:00.206Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"kathy.kane\",\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"2021-09-16T22:58:29.755Z\",6661687,\"code42-exfil-share-datatype\",\"3df126f4a090da12f2c29b6e5c1c29da\",57848,\"false\",\"TRUE\",\"/Users/kathy.kane/.scripts/\",\"Document\",\"kathy.kane\",\"FILE\",\"886897886179661430\",\"2021-09-16T22:55:02.481Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-08-12T14:09:19.657Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.123Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337678Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"igxim.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4910872,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d19ae43d04b6c5c4b5f3fcc081b9e602\\\",\\\"sha256Checksum\\\":\\\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.611Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bb0321a2-a87b-56fe-b5b5-20b9c02a89b4\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:28.123Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"igxim.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.611Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"2021-09-16T22:52:32.759Z\",4910872,\"code42-exfil-share-datatype\",\"d19ae43d04b6c5c4b5f3fcc081b9e602\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.123Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336563Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"AutoMapper.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":286720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"ff3c3d84a000d57ef7d443f594d407ec\\\",\\\"sha256Checksum\\\":\\\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\\\",\\\"createTimestamp\\\":\\\"2021-06-17T09:48:12.583Z\\\",\\\"modifyTimestamp\\\":\\\"2021-06-17T09:48:17.915Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4092231e-8015-5e72-93c4-007b94515cd6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"AutoMapper.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-06-17T09:48:17.915Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"2021-09-16T22:52:32.759Z\",286720,\"code42-exfil-share-datatype\",\"ff3c3d84a000d57ef7d443f594d407ec\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-06-17T09:48:12.583Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.166Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336765Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Caching.Memory.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":32120,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"9e7c8d18c1128488df0dea96a6b5be3c\\\",\\\"sha256Checksum\\\":\\\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.247Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-32cf786a-b54f-5f06-8b5f-120a57ee31d5\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.166Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Caching.Memory.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.247Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"2021-09-16T22:52:32.764Z\",32120,\"code42-exfil-share-datatype\",\"9e7c8d18c1128488df0dea96a6b5be3c\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.166Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.086Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335338Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"mscorrc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":13176,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"fc24926593d08479a7ed2bdaff458d20\\\",\\\"sha256Checksum\\\":\\\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.252Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.613Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-986981d1-b0c1-5463-b0d6-0f4ac3764bf2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.086Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"mscorrc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.613Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"2021-09-16T22:52:32.759Z\",13176,\"code42-exfil-share-datatype\",\"fc24926593d08479a7ed2bdaff458d20\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.086Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.252Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.192Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314319Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Microsoft.SharePoint.Calc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1333608,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"29b2b242a9fb8c094425d566c50f0958\\\",\\\"sha256Checksum\\\":\\\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.949Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.967Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-d06e6d6c-2bd7-559d-88b4-d7e4d1a89e9a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.192Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.SharePoint.Calc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.967Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"2021-09-16T22:52:32.760Z\",1333608,\"code42-exfil-share-datatype\",\"29b2b242a9fb8c094425d566c50f0958\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.192Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.949Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 2046146408369861582 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=4447782c2756c6c447299d79a0e92f6950df5def fsize=3105208 msg=Resource [Resource: file :: 4447782c2756c6c447299d79a0e92f6950df5def] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=4447782c2756c6c447299d79a0e92f6950df5def ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T10:01:33.097Z ext_md5Checksum=3a09012f4a87abb2366ffbf8ca4b70ec ext_sharedWith=[] ext_sha256Checksum=0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3105208 ext_insertionTimestamp=2021-09-16T22:59:26.353746Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T10:01:32.918Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:32.032Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:26.353746Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Windows/SoftwareDistribution/Download/\\\",\\\"fileName\\\":\\\"4447782c2756c6c447299d79a0e92f6950df5def\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":3105208,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"3a09012f4a87abb2366ffbf8ca4b70ec\\\",\\\"sha256Checksum\\\":\\\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\\\",\\\"createTimestamp\\\":\\\"2021-09-15T10:01:32.918Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T10:01:33.097Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_11_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6a55a80a-3597-5ff8-8362-b51c90225a52\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:32.032Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"4447782c2756c6c447299d79a0e92f6950df5def\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-15T10:01:33.097Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"michelle.goldberg\",\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\",\"2021-09-16T23:02:30.312Z\",3105208,\"code42-exfil-share-datatype\",\"3a09012f4a87abb2366ffbf8ca4b70ec\",57848,\"false\",\"TRUE\",\"C:/Windows/SoftwareDistribution/Download/\",\"Executable\",\"SYSTEM\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:55:32.032Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2021-09-15T10:01:32.918Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.160Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336148Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\\\",\\\"fileName\\\":\\\"UIAutomationTypes.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"077bb8ca6a783006aacb63d08317c339\\\",\\\"sha256Checksum\\\":\\\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.596Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.849Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61471_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-0357656e-2c0b-5454-97fc-aaff38ba6255\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.160Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationTypes.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.849Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"2021-09-16T22:52:32.764Z\",17272,\"code42-exfil-share-datatype\",\"077bb8ca6a783006aacb63d08317c339\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.160Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.596Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.219Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336922Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Newtonsoft.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":653824,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f33cbe589b769956284868104686cc2d\\\",\\\"sha256Checksum\\\":\\\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\\\",\\\"createTimestamp\\\":\\\"2020-05-21T13:18:58.618Z\\\",\\\"modifyTimestamp\\\":\\\"2020-05-21T13:19:04.588Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-aea8b0e5-235a-5595-8967-8fed89dcca7f\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.219Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Newtonsoft.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-05-21T13:19:04.588Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"2021-09-16T22:52:32.761Z\",653824,\"code42-exfil-share-datatype\",\"f33cbe589b769956284868104686cc2d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.219Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-05-21T13:18:58.618Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.060Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335277Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":30720,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1ac89288b8009c9a0fb138fb9d67b150\\\",\\\"sha256Checksum\\\":\\\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.586Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.943Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9918c6d9-765e-5d8c-b914-bf67bca5fb25\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.060Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.943Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"2021-09-16T22:52:32.763Z\",30720,\"code42-exfil-share-datatype\",\"1ac89288b8009c9a0fb138fb9d67b150\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.060Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.586Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.234Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314470Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5Gui.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":6671232,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"f53d5cd7837e933cf4cc8c07a1a88350\\\",\\\"sha256Checksum\\\":\\\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.375Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.450Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6f1119de-1ca4-5c02-8a48-8d233b6c7f51\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.234Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5Gui.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.450Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"2021-09-16T22:52:32.762Z\",6671232,\"code42-exfil-share-datatype\",\"f53d5cd7837e933cf4cc8c07a1a88350\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.234Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.375Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.163Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335444Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17272,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b5cb4e7532586d8ec2a144fe895ef55d\\\",\\\"sha256Checksum\\\":\\\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.330Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.707Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1b62b73d-4074-5e2d-aed4-f833528c33c6\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.163Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.707Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"2021-09-16T22:52:32.765Z\",17272,\"code42-exfil-share-datatype\",\"b5cb4e7532586d8ec2a144fe895ef55d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.163Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.330Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.146Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335417Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\\\",\\\"fileName\\\":\\\"PresentationFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":208784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"beeb465b9ab84dbb8f78f866924d49fe\\\",\\\"sha256Checksum\\\":\\\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.315Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.676Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61472_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-292bec71-c562-577a-a94f-ab54370603eb\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.146Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"PresentationFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.676Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"2021-09-16T22:52:32.766Z\",208784,\"code42-exfil-share-datatype\",\"beeb465b9ab84dbb8f78f866924d49fe\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.146Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.315Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.288Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335722Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\\\",\\\"sha256Checksum\\\":\\\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.598Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.987Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-2574907d-cae0-57cc-b985-8815cca5ac1d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.288Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.987Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"2021-09-16T22:52:32.761Z\",26112,\"code42-exfil-share-datatype\",\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.288Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.598Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:47:48.222Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:56:50.885010Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/\\\",\\\"fileName\\\":\\\"sshd.pid\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":6,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"4ae3b17c6481c84809152f331f7d783c\\\",\\\"sha256Checksum\\\":\\\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\\\",\\\"createTimestamp\\\":\\\"2021-03-17T09:49:37.832Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T09:39:11.904Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_6_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-5d48b52e-0e61-5614-b642-183dc0ac545e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:47:48.222Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"sshd.pid\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T09:39:11.904Z\",\"application/octet-stream\",\"MODIFIED\",\"162.222.47.183\",\"darnell.waters\",\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"2021-09-16T22:58:29.756Z\",6,\"code42-exfil-share-datatype\",\"4ae3b17c6481c84809152f331f7d783c\",57848,\"false\",\"TRUE\",\"C:/\",\"Document\",\"Administrators\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:47:48.222Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-03-17T09:49:37.832Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.108Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336633Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Google.Protobuf.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":401064,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"5e73f645a041a91618e33299cfe33851\\\",\\\"sha256Checksum\\\":\\\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.060Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-764e8852-01b4-5167-bee9-61f29e31602d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.108Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Google.Protobuf.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.060Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"2021-09-16T22:52:32.766Z\",401064,\"code42-exfil-share-datatype\",\"5e73f645a041a91618e33299cfe33851\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.108Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:52:00.340Z 804e3b095828 Skyformation - 101121762317961190 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 dproc=file events dtz=default-tenant end=1631832720340 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:00.340Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:59.527Z ext_md5Checksum=a5d9591d6f143c127c28abadbf112417 ext_sharedWith=[] ext_sha256Checksum=ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:59.169359Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:52:00.340Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:52:59.169359Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/keri.prichard/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"a5d9591d6f143c127c28abadbf112417\\\",\\\"sha256Checksum\\\":\\\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:28:08.235Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:51:59.527Z\\\",\\\"deviceUserName\\\":\\\"keri.prichard@example.edu\\\",\\\"osHostName\\\":\\\"KERIP-OFFICIAL-\\\",\\\"domainName\\\":\\\"KERIP-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.164\\\",\\\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423512854283047\\\",\\\"userUid\\\":\\\"966201252013468837\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"keri.prichard\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b32701b6-d75d-5708-8872-225eb4b7fbd8\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:52:00.340Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"KERIP-OFFICIAL-\",\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:51:59.527Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"keri.prichard\",\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\",\"2021-09-16T22:54:30.604Z\",21,\"code42-exfil-share-datatype\",\"a5d9591d6f143c127c28abadbf112417\",57848,\"false\",\"TRUE\",\"C:/Users/keri.prichard/\",\"Document\",\"Administrators\",\"FILE\",\"966201252013468837\",\"2021-09-16T22:52:00.340Z\",\"keri.prichard@example.edu\",\"keri.prichard@example.edu\",\"2020-08-21T01:28:08.235Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.284Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337354Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxCommModel.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":4250624,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"1d0bcfa0671f607ba8e3ab53f893e8bb\\\",\\\"sha256Checksum\\\":\\\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.137Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-366d1237-2f8f-52da-b57a-6c5aeff7f553\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.284Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxCommModel.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.137Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"2021-09-16T22:52:32.763Z\",4250624,\"code42-exfil-share-datatype\",\"1d0bcfa0671f607ba8e3ab53f893e8bb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.284Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:01:54.338Z 804e3b095828 Skyformation - 5372332763298212826 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 dproc=file events dtz=default-tenant end=1631833314338 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:01:54.338Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:01:53.526Z ext_md5Checksum=88b43443da22c25cf6c00f8cd5c67b29 ext_sharedWith=[] ext_sha256Checksum=7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:49.223927Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:01:54.338Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:02:49.223927Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/russell.martin/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"88b43443da22c25cf6c00f8cd5c67b29\\\",\\\"sha256Checksum\\\":\\\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\\\",\\\"createTimestamp\\\":\\\"2020-08-21T01:27:36.760Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:01:53.526Z\\\",\\\"deviceUserName\\\":\\\"russell.martin@example.edu\\\",\\\"osHostName\\\":\\\"RUSSELLM-OFFICI\\\",\\\"domainName\\\":\\\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.64.162\\\",\\\"fe80:0:0:0:49f7:c945:904:10d5%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"968423453587837882\\\",\\\"userUid\\\":\\\"966201050854648997\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"russell.martin\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_13_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-87711222-9004-58f2-8d70-d87870bdc475\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:01:54.338Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"RUSSELLM-OFFICI\",\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:01:53.526Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"russell.martin\",\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\",\"2021-09-16T23:04:29.765Z\",21,\"code42-exfil-share-datatype\",\"88b43443da22c25cf6c00f8cd5c67b29\",57848,\"false\",\"TRUE\",\"C:/Users/russell.martin/\",\"Document\",\"Administrators\",\"FILE\",\"966201050854648997\",\"2021-09-16T23:01:54.338Z\",\"russell.martin@example.edu\",\"russell.martin@example.edu\",\"2020-08-21T01:27:36.760Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:53:34.592Z 804e3b095828 Skyformation - 5887001634145810066 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 dproc=file events dtz=default-tenant end=1631832814592 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:53:34.592Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:53:33.688Z ext_md5Checksum=984ffdd35a8b9587207b594e6a6391b5 ext_sharedWith=[] ext_sha256Checksum=d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:27.640048Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:53:34.592Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:54:27.640048Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/sean.cassidy/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"984ffdd35a8b9587207b594e6a6391b5\\\",\\\"sha256Checksum\\\":\\\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\\\",\\\"createTimestamp\\\":\\\"2020-03-23T20:49:51.288Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:53:33.688Z\\\",\\\"deviceUserName\\\":\\\"sean.cassidy@c42se.com\\\",\\\"osHostName\\\":\\\"SEANC-OFFICIAL-\\\",\\\"domainName\\\":\\\"SEANC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\",\\\"172.20.65.56\\\"],\\\"deviceUid\\\":\\\"983156854068078725\\\",\\\"userUid\\\":\\\"887050325252344565\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"sean.cassidy\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-719c033c-53b7-50ac-bf24-b8c674179635\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:53:34.592Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"SEANC-OFFICIAL-\",\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:53:33.688Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"sean.cassidy\",\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\",\"2021-09-16T22:54:30.604Z\",21,\"code42-exfil-share-datatype\",\"984ffdd35a8b9587207b594e6a6391b5\",57848,\"false\",\"TRUE\",\"C:/Users/sean.cassidy/\",\"Document\",\"Administrators\",\"FILE\",\"887050325252344565\",\"2021-09-16T22:53:34.592Z\",\"sean.cassidy@c42se.com\",\"sean.cassidy@c42se.com\",\"2020-03-23T20:49:51.288Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:41.158Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314982Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"api-ms-win-crt-conio-l1-1-0.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":12664,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"c61e3c9099cc2b143cc93bf26ac01d34\\\",\\\"sha256Checksum\\\":\\\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:11.790Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-19461a73-1623-57e1-9868-8316927e555a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:41.158Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"api-ms-win-crt-conio-l1-1-0.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:11.790Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"2021-09-16T22:52:32.763Z\",12664,\"code42-exfil-share-datatype\",\"c61e3c9099cc2b143cc93bf26ac01d34\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:41.158Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:11.790Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 8292696232025279500 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=3e524e400c05f8303ada6e81308853048f98951f fsize=348600 msg=Resource [Resource: file :: 3e524e400c05f8303ada6e81308853048f98951f] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=3e524e400c05f8303ada6e81308853048f98951f ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:53:42.201Z ext_md5Checksum=a41a0e7d69c8b117f5a841863ad4d765 ext_sharedWith=[] ext_sha256Checksum=ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=348600 ext_insertionTimestamp=2021-09-16T22:59:26.353728Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T09:53:42.064Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:32.032Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:26.353728Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Windows/SoftwareDistribution/Download/\\\",\\\"fileName\\\":\\\"3e524e400c05f8303ada6e81308853048f98951f\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":348600,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"a41a0e7d69c8b117f5a841863ad4d765\\\",\\\"sha256Checksum\\\":\\\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\\\",\\\"createTimestamp\\\":\\\"2021-09-15T09:53:42.064Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:53:42.201Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b141bf70-a77d-5e91-985f-804abf86f186\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:32.032Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"3e524e400c05f8303ada6e81308853048f98951f\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-15T09:53:42.201Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"michelle.goldberg\",\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\",\"2021-09-16T23:00:29.721Z\",348600,\"code42-exfil-share-datatype\",\"a41a0e7d69c8b117f5a841863ad4d765\",57848,\"false\",\"TRUE\",\"C:/Windows/SoftwareDistribution/Download/\",\"Executable\",\"SYSTEM\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:55:32.032Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2021-09-15T09:53:42.064Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:56:54.736Z 804e3b095828 Skyformation - 2768134485455653850 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 dproc=file events dtz=default-tenant end=1631833014736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:56:54.736Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:53.830Z ext_md5Checksum=d7bad10ef06efb58306cf290c0666440 ext_sharedWith=[] ext_sha256Checksum=158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:26.353681Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:56:54.736Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:26.353681Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/michelle.goldberg/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"d7bad10ef06efb58306cf290c0666440\\\",\\\"sha256Checksum\\\":\\\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:53:22.049Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:56:53.830Z\\\",\\\"deviceUserName\\\":\\\"michelle.goldberg@c42se.com\\\",\\\"osHostName\\\":\\\"MICHELLEG-OFFIC\\\",\\\"domainName\\\":\\\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\\\",\\\"172.20.65.60\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944597031926579042\\\",\\\"userUid\\\":\\\"922302705889597824\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"michelle.goldberg\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_12_61481_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-53659e52-f299-5197-b32b-1b8ec8f96d9d\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:56:54.736Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"MICHELLEG-OFFIC\",\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:56:53.830Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"michelle.goldberg\",\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\",\"2021-09-16T23:00:29.721Z\",21,\"code42-exfil-share-datatype\",\"d7bad10ef06efb58306cf290c0666440\",57848,\"false\",\"TRUE\",\"C:/Users/michelle.goldberg/\",\"Document\",\"Administrators\",\"FILE\",\"922302705889597824\",\"2021-09-16T22:56:54.736Z\",\"michelle.goldberg@c42se.com\",\"michelle.goldberg@c42se.com\",\"2020-08-14T14:53:22.049Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.309Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337398Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"HxOutlook.exe\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":1439232,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"845c649d20d35fc78fbab0c0d9ec5ec6\\\",\\\"sha256Checksum\\\":\\\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.902Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:52.168Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-dosexec\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-8ecbddf4-f6de-5532-b9a4-0c18b11274a2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.309Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"HxOutlook.exe\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:52.168Z\",\"application/x-dosexec\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"2021-09-16T22:52:32.761Z\",1439232,\"code42-exfil-share-datatype\",\"845c649d20d35fc78fbab0c0d9ec5ec6\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.309Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.902Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.350Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337538Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"TextEntityExtractorProxy.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":638976,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f8af1754c0bdb86deb1f68930784d580\\\",\\\"sha256Checksum\\\":\\\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:55.205Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-767515fa-6d2b-54eb-b95a-d0ed62b96e67\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.350Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"TextEntityExtractorProxy.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:55.205Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"2021-09-16T22:52:32.767Z\",638976,\"code42-exfil-share-datatype\",\"f8af1754c0bdb86deb1f68930784d580\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.350Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.190Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336835Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Logging.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":34168,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47d7a055ee7672f9b54ba629da07a6a3\\\",\\\"sha256Checksum\\\":\\\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.786Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.917Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_9_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-19f4f026-7d63-5465-9fc6-c1821bd52f8b\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.190Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Logging.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.917Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"2021-09-16T22:52:32.766Z\",34168,\"code42-exfil-share-datatype\",\"47d7a055ee7672f9b54ba629da07a6a3\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.190Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.786Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:02:22.586Z 804e3b095828 Skyformation - 166520060466349731 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 dproc=file events dtz=default-tenant end=1631833342586 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:02:22.586Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:22.567Z ext_md5Checksum=863d783444c0ecd387c905e9176bf141 ext_sharedWith=[] ext_sha256Checksum=fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:40.014640Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:02:22.586Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:03:40.014640Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"863d783444c0ecd387c905e9176bf141\\\",\\\"sha256Checksum\\\":\\\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T23:02:22.567Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_3_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4993fc49-66eb-5a74-8700-2b0bed24b796\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:02:22.586Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T23:02:22.567Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\",\"2021-09-16T23:04:29.764Z\",21,\"code42-exfil-share-datatype\",\"863d783444c0ecd387c905e9176bf141\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T23:02:22.586Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.168Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336774Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Abstractions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":21368,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e1c8f3a5d41fd162943613952097db8b\\\",\\\"sha256Checksum\\\":\\\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-30ad332e-3cc8-5056-9b47-f6c67e1be5ad\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.168Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"2021-09-16T22:52:32.765Z\",21368,\"code42-exfil-share-datatype\",\"e1c8f3a5d41fd162943613952097db8b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.168Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.090Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335347Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":19968,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"b2f71614b51575b117cfa4356d851423\\\",\\\"sha256Checksum\\\":\\\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.589Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.950Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9c09f4e8-150f-5f53-ba71-50de875db6f2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.090Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.950Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"2021-09-16T22:52:32.761Z\",19968,\"code42-exfil-share-datatype\",\"b2f71614b51575b117cfa4356d851423\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.090Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.589Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.102Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335997Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":31744,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"88d5e6253dcb376fb076c87713b3628e\\\",\\\"sha256Checksum\\\":\\\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.614Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:34.054Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61477_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-4d5460d1-da05-5833-8d33-4461a20b887c\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.102Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:34.054Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"2021-09-16T22:52:32.766Z\",31744,\"code42-exfil-share-datatype\",\"88d5e6253dcb376fb076c87713b3628e\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.102Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.614Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:55:53.470Z 804e3b095828 Skyformation - 8757910183166367699 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 dproc=file events dtz=default-tenant end=1631832953470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:53.470Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:52.553Z ext_md5Checksum=42095b3368e04ec563ae3cc508cf7b0b ext_sharedWith=[] ext_sha256Checksum=7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:57:12.133407Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:55:53.470Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:57:12.133407Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/alex.cooper/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"42095b3368e04ec563ae3cc508cf7b0b\\\",\\\"sha256Checksum\\\":\\\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\\\",\\\"createTimestamp\\\":\\\"2020-08-14T13:57:46.726Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:55:52.553Z\\\",\\\"deviceUserName\\\":\\\"alex.cooper@c42se.com\\\",\\\"osHostName\\\":\\\"ALEXC-OFFICIAL-\\\",\\\"domainName\\\":\\\"ALEXC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"172.20.65.62\\\",\\\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944595906935824510\\\",\\\"userUid\\\":\\\"925771637667629373\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"alex.cooper\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_8_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6cc5937c-087a-5124-b1d8-ee04a483a05a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:55:53.470Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"ALEXC-OFFICIAL-\",\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:55:52.553Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"alex.cooper\",\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\",\"2021-09-16T22:58:29.756Z\",21,\"code42-exfil-share-datatype\",\"42095b3368e04ec563ae3cc508cf7b0b\",57848,\"false\",\"TRUE\",\"C:/Users/alex.cooper/\",\"Document\",\"Administrators\",\"FILE\",\"925771637667629373\",\"2021-09-16T22:55:53.470Z\",\"alex.cooper@c42se.com\",\"alex.cooper@c42se.com\",\"2020-08-14T13:57:46.726Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:57:23.419Z 804e3b095828 Skyformation - 7013019646501643272 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 dproc=file events dtz=default-tenant end=1631833043419 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:23.419Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:57:22.503Z ext_md5Checksum=8ea299414f16148eb8517e478d71f64c ext_sharedWith=[] ext_sha256Checksum=e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:13.330998Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:57:23.419Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:58:13.330998Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/john.miller/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"8ea299414f16148eb8517e478d71f64c\\\",\\\"sha256Checksum\\\":\\\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\\\",\\\"createTimestamp\\\":\\\"2020-08-14T14:36:29.460Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:57:22.503Z\\\",\\\"deviceUserName\\\":\\\"john.miller@c42se.com\\\",\\\"osHostName\\\":\\\"JOHNM-OFFICIAL-\\\",\\\"domainName\\\":\\\"JOHNM-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"172.20.64.238\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"944596934062634167\\\",\\\"userUid\\\":\\\"920256648733700755\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"john.miller\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-39144912-bbfc-507f-a580-4c709660d4b3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:57:23.419Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"JOHNM-OFFICIAL-\",\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:57:22.503Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"john.miller\",\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\",\"2021-09-16T23:00:29.720Z\",21,\"code42-exfil-share-datatype\",\"8ea299414f16148eb8517e478d71f64c\",57848,\"false\",\"TRUE\",\"C:/Users/john.miller/\",\"Document\",\"Administrators\",\"FILE\",\"920256648733700755\",\"2021-09-16T22:57:23.419Z\",\"john.miller@c42se.com\",\"john.miller@c42se.com\",\"2020-08-14T14:36:29.460Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:44.262Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.315284Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"msipc.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":3022712,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"dcd150947325c51dc49af1c568e76466\\\",\\\"sha256Checksum\\\":\\\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:14.484Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:14.519Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9e30b314-9ee6-5218-b163-313d2a5bb546\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:44.262Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msipc.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:14.519Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"2021-09-16T22:52:32.766Z\",3022712,\"code42-exfil-share-datatype\",\"dcd150947325c51dc49af1c568e76466\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:44.262Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:14.484Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:28.100Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337625Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\\\",\\\"fileName\\\":\\\"msointlimm.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":377184,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"99d060c13d92442ea518ad6c13305532\\\",\\\"sha256Checksum\\\":\\\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:49.887Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:50.699Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-49473a25-b7cc-50fd-a762-72b81b536667\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:28.100Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"msointlimm.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:50.699Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"2021-09-16T22:52:32.765Z\",377184,\"code42-exfil-share-datatype\",\"99d060c13d92442ea518ad6c13305532\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:28.100Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:49.887Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:54:34.612Z 804e3b095828 Skyformation - 6165243996888775860 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 dproc=file events dtz=default-tenant end=1631832874612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:54:34.612Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:54:33.697Z ext_md5Checksum=d4d35cde3d316ed4aeedf61797ae50a4 ext_sharedWith=[] ext_sha256Checksum=4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:52.367764Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:54:34.612Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:59:52.367764Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/sean.cassidy/\\\",\\\"fileName\\\":\\\"modify_me.txt\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Document\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":21,\\\"fileOwner\\\":\\\"Administrators\\\",\\\"md5Checksum\\\":\\\"d4d35cde3d316ed4aeedf61797ae50a4\\\",\\\"sha256Checksum\\\":\\\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\\\",\\\"createTimestamp\\\":\\\"2020-03-23T20:49:51.288Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-16T22:54:33.697Z\\\",\\\"deviceUserName\\\":\\\"sean.cassidy@c42se.com\\\",\\\"osHostName\\\":\\\"SEANC-OFFICIAL-\\\",\\\"domainName\\\":\\\"SEANC-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\",\\\"172.20.65.56\\\"],\\\"deviceUid\\\":\\\"983156854068078725\\\",\\\"userUid\\\":\\\"887050325252344565\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"text/plain\\\",\\\"mimeTypeByExtension\\\":\\\"text/plain\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"sean.cassidy\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_2_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a6622b12-9210-5391-b7a2-fb37b77d2330\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:54:34.612Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Endpoint\",\"modify_me.txt\",\"SEANC-OFFICIAL-\",\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-16T22:54:33.697Z\",\"text/plain\",\"MODIFIED\",\"162.222.47.183\",\"sean.cassidy\",\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\",\"2021-09-16T23:02:30.314Z\",21,\"code42-exfil-share-datatype\",\"d4d35cde3d316ed4aeedf61797ae50a4\",57848,\"false\",\"TRUE\",\"C:/Users/sean.cassidy/\",\"Document\",\"Administrators\",\"FILE\",\"887050325252344565\",\"2021-09-16T22:54:34.612Z\",\"sean.cassidy@c42se.com\",\"sean.cassidy@c42se.com\",\"2020-03-23T20:49:51.288Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.280Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335704Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\\\",\\\"fileName\\\":\\\"YourPhoneAppProxy.Core.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":26112,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"dc434cced48beee1b8f867474c5cc33d\\\",\\\"sha256Checksum\\\":\\\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\\\",\\\"createTimestamp\\\":\\\"2021-09-09T09:44:28.599Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-09T09:44:33.991Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-66391315-46a4-5cd5-8e36-797ce685401a\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.280Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"YourPhoneAppProxy.Core.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-09T09:44:33.991Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"2021-09-16T22:52:32.765Z\",26112,\"code42-exfil-share-datatype\",\"dc434cced48beee1b8f867474c5cc33d\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.280Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-09T09:44:28.599Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:23.191Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337203Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\\\",\\\"fileName\\\":\\\"e_sqlite3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":870400,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6844e4b40c797e392e1dddcfae0b8dd4\\\",\\\"sha256Checksum\\\":\\\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\\\",\\\"createTimestamp\\\":\\\"2020-08-20T09:07:00.718Z\\\",\\\"modifyTimestamp\\\":\\\"2020-08-20T09:07:05.686Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61479_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-9125605f-1264-5799-9b5e-5b14abd34ad1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:23.191Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"e_sqlite3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2020-08-20T09:07:05.686Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"2021-09-16T22:52:32.766Z\",870400,\"code42-exfil-share-datatype\",\"6844e4b40c797e392e1dddcfae0b8dd4\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:23.191Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2020-08-20T09:07:00.718Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.172Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336782Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"Microsoft.Extensions.Configuration.Binder.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":24952,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"f97d210b3ede360f920e2b1d5b702d6b\\\",\\\"sha256Checksum\\\":\\\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\\\",\\\"createTimestamp\\\":\\\"2021-08-26T09:51:56.771Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-26T09:52:02.870Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61474_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-40aa9339-7c7b-54de-9324-9377e056d4e2\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.172Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Microsoft.Extensions.Configuration.Binder.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-26T09:52:02.870Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"2021-09-16T22:52:32.763Z\",24952,\"code42-exfil-share-datatype\",\"f97d210b3ede360f920e2b1d5b702d6b\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.172Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-26T09:51:56.771Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.128Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337977Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"FileSyncTelemetryExtensions.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":71544,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"faaf9d982dbaa8ab547098f1fb6abc81\\\",\\\"sha256Checksum\\\":\\\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:13.402Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:13.405Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-1f33d210-e0ea-5ac6-bb07-7a447613b190\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.128Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"FileSyncTelemetryExtensions.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:13.405Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"2021-09-16T22:52:32.759Z\",71544,\"code42-exfil-share-datatype\",\"faaf9d982dbaa8ab547098f1fb6abc81\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.128Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:13.402Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.161Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.334894Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\\\",\\\"fileName\\\":\\\"System.Windows.Controls.Ribbon.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":17784,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"981e3dd612e3d93ba10c54e46d378aa5\\\",\\\"sha256Checksum\\\":\\\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.190Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.176Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61475_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6fb7d7f8-f5f2-572a-97f2-cc3be5dd47f1\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.161Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Controls.Ribbon.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.176Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"2021-09-16T22:52:32.762Z\",17784,\"code42-exfil-share-datatype\",\"981e3dd612e3d93ba10c54e46d378aa5\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.161Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.190Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.206Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336218Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\\\",\\\"fileName\\\":\\\"vcruntime140_cor3.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":97160,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"18049f6811fc0f94547189a9e104f5d2\\\",\\\"sha256Checksum\\\":\\\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.611Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:53.958Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe64\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61473_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6fb7d559-f724-5f37-9187-9d037f75fda3\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.206Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"vcruntime140_cor3.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:53.958Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"2021-09-16T22:52:32.762Z\",97160,\"code42-exfil-share-datatype\",\"18049f6811fc0f94547189a9e104f5d2\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.206Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.611Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.281Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337045Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Encodings.Web.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":59768,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"2e2490a823b4a3d290a98d0371d199ed\\\",\\\"sha256Checksum\\\":\\\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_4_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-bdd0dfb1-55f1-5bbd-85ab-d589623e4230\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.281Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Encodings.Web.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"2021-09-16T22:52:32.766Z\",59768,\"code42-exfil-share-datatype\",\"2e2490a823b4a3d290a98d0371d199ed\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.281Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.105Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336624Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"DotNetty.Transport.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":254464,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"4a67dcf64aab4980b9bd9fb623cc7242\\\",\\\"sha256Checksum\\\":\\\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\\\",\\\"createTimestamp\\\":\\\"2021-08-10T09:42:45.246Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-10T09:42:50.044Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_15_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-13a0b29e-3db3-522a-a911-be3d684f1f07\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.105Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"DotNetty.Transport.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-10T09:42:50.044Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"2021-09-16T22:52:32.765Z\",254464,\"code42-exfil-share-datatype\",\"4a67dcf64aab4980b9bd9fb623cc7242\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.105Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-10T09:42:45.246Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:20.258Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335653Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\\\",\\\"fileName\\\":\\\"UIAutomationProvider.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":14200,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"6b163d1438afbe087bb895d76ea393e7\\\",\\\"sha256Checksum\\\":\\\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.361Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:49.926Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_5_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-3a1fee14-256f-510f-aced-1bf23fb968cd\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:20.258Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"UIAutomationProvider.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:49.926Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"2021-09-16T22:52:32.760Z\",14200,\"code42-exfil-share-datatype\",\"6b163d1438afbe087bb895d76ea393e7\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:20.258Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.361Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:22.285Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337054Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\\\",\\\"fileName\\\":\\\"System.Text.Json.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":293248,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"64efa1bfed847afd252e7af274648474\\\",\\\"sha256Checksum\\\":\\\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\\\",\\\"createTimestamp\\\":\\\"2021-05-13T09:36:01.168Z\\\",\\\"modifyTimestamp\\\":\\\"2021-05-13T09:36:06.215Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-523329ab-5b5f-5357-a64e-8ae0ce7f5456\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:22.285Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Text.Json.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-05-13T09:36:06.215Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"2021-09-16T22:52:32.764Z\",293248,\"code42-exfil-share-datatype\",\"64efa1bfed847afd252e7af274648474\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:22.285Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-05-13T09:36:01.168Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:19.292Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.335127Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\\\",\\\"fileName\\\":\\\"System.Windows.Forms.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":355192,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"47613e3bfa408b3299c04d0df45433ba\\\",\\\"sha256Checksum\\\":\\\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.221Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:48.301Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61476_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-22383b2e-6dd0-5329-baf0-9074acc3b3a0\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:19.292Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"System.Windows.Forms.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:48.301Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"2021-09-16T22:52:32.763Z\",355192,\"code42-exfil-share-datatype\",\"47613e3bfa408b3299c04d0df45433ba\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:19.292Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.221Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:21.316Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.336422Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\\\",\\\"fileName\\\":\\\"ReachFramework.resources.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":36240,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"e2dd338ceac0daebdfdf99d72e40fd80\\\",\\\"sha256Checksum\\\":\\\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\\\",\\\"createTimestamp\\\":\\\"2021-08-18T09:55:42.643Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-18T09:55:54.349Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload; format\\\\=pe32\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_10_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-46a69277-670c-5a04-a296-4ce39a3e0361\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:21.316Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"ReachFramework.resources.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-18T09:55:54.349Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"2021-09-16T22:52:32.761Z\",36240,\"code42-exfil-share-datatype\",\"e2dd338ceac0daebdfdf99d72e40fd80\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:21.316Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-18T09:55:42.643Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:27.331Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:15.337467Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\\\",\\\"fileName\\\":\\\"Office.UI.Xaml.Core.winmd\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Uncategorized\\\",\\\"fileSize\\\":20280,\\\"fileOwner\\\":\\\"SYSTEM\\\",\\\"md5Checksum\\\":\\\"d16aec0e28a5f509a04722edf62e01eb\\\",\\\"sha256Checksum\\\":\\\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\\\",\\\"createTimestamp\\\":\\\"2021-08-23T09:31:50.199Z\\\",\\\"modifyTimestamp\\\":\\\"2021-08-23T09:31:54.439Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/octet-stream\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_7_61480_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-6af36d6f-8b1a-53f4-b011-92aea968dc13\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:27.331Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Uncategorized\",\"Endpoint\",\"Office.UI.Xaml.Core.winmd\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-08-23T09:31:54.439Z\",\"application/octet-stream\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"2021-09-16T22:52:32.764Z\",20280,\"code42-exfil-share-datatype\",\"d16aec0e28a5f509a04722edf62e01eb\",57848,\"false\",\"TRUE\",\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"Executable\",\"SYSTEM\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:27.331Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-08-23T09:31:50.199Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\\\"eventId\\\":\\\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\\\",\\\"eventType\\\":\\\"DELETED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T22:48:40.231Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T22:51:22.314459Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":\\\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\\\",\\\"fileName\\\":\\\"Qt5DBus.dll\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Executable\\\",\\\"fileCategoryByBytes\\\":\\\"Executable\\\",\\\"fileCategoryByExtension\\\":\\\"Executable\\\",\\\"fileSize\\\":437624,\\\"fileOwner\\\":\\\"darnell.waters\\\",\\\"md5Checksum\\\":\\\"d10cb4ac9a26d6350f1079399351e9d3\\\",\\\"sha256Checksum\\\":\\\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\\\",\\\"createTimestamp\\\":\\\"2021-09-08T09:32:15.238Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-08T09:32:15.354Z\\\",\\\"deviceUserName\\\":\\\"darnell.waters@c42se.com\\\",\\\"osHostName\\\":\\\"DARNELLW-OFFICI\\\",\\\"domainName\\\":\\\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\\\",\\\"publicIpAddress\\\":\\\"162.222.47.183\\\",\\\"privateIpAddresses\\\":[\\\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\\\",\\\"172.20.65.55\\\",\\\"0:0:0:0:0:0:0:1\\\",\\\"127.0.0.1\\\"],\\\"deviceUid\\\":\\\"1017088719733184290\\\",\\\"userUid\\\":\\\"902428473202283166\\\",\\\"actor\\\":null,\\\"directoryId\\\":[],\\\"source\\\":\\\"Endpoint\\\",\\\"url\\\":null,\\\"shared\\\":null,\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":null,\\\"detectionSourceAlias\\\":null,\\\"fileId\\\":null,\\\"exposure\\\":[],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeByExtension\\\":\\\"application/x-msdownload\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":\\\"TRUE\\\",\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":\\\"darnell.waters\\\",\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"162.222.47.183\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_16_61478_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-ccea10ce-60a9-516a-adc2-ab30852b2b65\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T22:48:40.231Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"src_host\",\"type\":\"string\"},{\"name\":\"domain\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"os_user\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"remote_activity\",\"type\":\"string\"},{\"name\":\"file_path\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Executable\",\"Endpoint\",\"Qt5DBus.dll\",\"DARNELLW-OFFICI\",\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"2021-09-08T09:32:15.354Z\",\"application/x-msdownload\",\"DELETED\",\"162.222.47.183\",\"darnell.waters\",\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"2021-09-16T22:52:32.760Z\",437624,\"code42-exfil-share-datatype\",\"d10cb4ac9a26d6350f1079399351e9d3\",57848,\"false\",\"TRUE\",\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"Executable\",\"darnell.waters\",\"FILE\",\"902428473202283166\",\"2021-09-16T22:48:40.231Z\",\"darnell.waters@c42se.com\",\"darnell.waters@c42se.com\",\"2021-09-08T09:32:15.238Z\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages.\",\"type\":\"warning\",\"module\":\"Exabeam\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:28:38.918Z\",\"uuid\":\"84f9c555-287e-4ed0-9caf-8ff5f23a21dc\"}]", "short_description": "Exabeam", "omittedObservables": [], "archivedObservables": [{"key": "7dddf0ad-0f0d-44da-b109-ae4251e920c5", "value": "162.222.47.183", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f5f1e5c6", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "ip", "value": "162.222.47.183"}, "type": "warning", "action_id": "84f9c555-287e-4ed0-9caf-8ff5f23a21dc", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "162.222.47.183", "id": "f5f1e5c6", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccea10ce-60a9-516a-adc2-ab30852b2b65", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6af36d6f-8b1a-53f4-b011-92aea968dc13", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-46a69277-670c-5a04-a296-4ce39a3e0361", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-22383b2e-6dd0-5329-baf0-9074acc3b3a0", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-523329ab-5b5f-5357-a64e-8ae0ce7f5456", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3a1fee14-256f-510f-aced-1bf23fb968cd", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-13a0b29e-3db3-522a-a911-be3d684f1f07", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bdd0dfb1-55f1-5bbd-85ab-d589623e4230", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d559-f724-5f37-9187-9d037f75fda3", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d7f8-f5f2-572a-97f2-cc3be5dd47f1", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f33d210-e0ea-5ac6-bb07-7a447613b190", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-40aa9339-7c7b-54de-9324-9377e056d4e2", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9125605f-1264-5799-9b5e-5b14abd34ad1", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66391315-46a4-5cd5-8e36-797ce685401a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:54:34.612Z 804e3b095828 Skyformation - 6165243996888775860 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 dproc=file events dtz=default-tenant end=1631832874612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:54:34.612Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:54:33.697Z ext_md5Checksum=d4d35cde3d316ed4aeedf61797ae50a4 ext_sharedWith=[] ext_sha256Checksum=4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:52.367764Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:54:34.612Z\",\"insertionTimestamp\":\"2021-09-16T22:59:52.367764Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d4d35cde3d316ed4aeedf61797ae50a4\",\"sha256Checksum\":\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:54:33.697Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:54:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a6622b12-9210-5391-b7a2-fb37b77d2330", "observed_start_time": "2021-09-16T22:54:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:54:34.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:54:33.697Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "d4d35cde3d316ed4aeedf61797ae50a4", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:54:34.612Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-49473a25-b7cc-50fd-a762-72b81b536667", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e30b314-9ee6-5218-b163-313d2a5bb546", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:23.419Z 804e3b095828 Skyformation - 7013019646501643272 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 dproc=file events dtz=default-tenant end=1631833043419 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:23.419Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:57:22.503Z ext_md5Checksum=8ea299414f16148eb8517e478d71f64c ext_sharedWith=[] ext_sha256Checksum=e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:13.330998Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:23.419Z\",\"insertionTimestamp\":\"2021-09-16T22:58:13.330998Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8ea299414f16148eb8517e478d71f64c\",\"sha256Checksum\":\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:57:22.503Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-39144912-bbfc-507f-a580-4c709660d4b3", "observed_start_time": "2021-09-16T22:57:23Z", "count": 1, "observable_type": "ip", "ctr_uuid": "a1f10421-bd33-4f50-8324-f03652392c01", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:23.419Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:57:22.503Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e", "2021-09-16T23:00:29.720Z", 21, "code42-exfil-share-datatype", "8ea299414f16148eb8517e478d71f64c", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:57:23.419Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:53.470Z 804e3b095828 Skyformation - 8757910183166367699 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 dproc=file events dtz=default-tenant end=1631832953470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:53.470Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:52.553Z ext_md5Checksum=42095b3368e04ec563ae3cc508cf7b0b ext_sharedWith=[] ext_sha256Checksum=7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:57:12.133407Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:53.470Z\",\"insertionTimestamp\":\"2021-09-16T22:57:12.133407Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"42095b3368e04ec563ae3cc508cf7b0b\",\"sha256Checksum\":\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T22:55:52.553Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cc5937c-087a-5124-b1d8-ee04a483a05a", "observed_start_time": "2021-09-16T22:55:53Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:53.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:52.553Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "42095b3368e04ec563ae3cc508cf7b0b", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T22:55:53.470Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d5460d1-da05-5833-8d33-4461a20b887c", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9c09f4e8-150f-5f53-ba71-50de875db6f2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-30ad332e-3cc8-5056-9b47-f6c67e1be5ad", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:02:22.586Z 804e3b095828 Skyformation - 166520060466349731 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 dproc=file events dtz=default-tenant end=1631833342586 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:02:22.586Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:22.567Z ext_md5Checksum=863d783444c0ecd387c905e9176bf141 ext_sharedWith=[] ext_sha256Checksum=fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:40.014640Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:02:22.586Z\",\"insertionTimestamp\":\"2021-09-16T23:03:40.014640Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"863d783444c0ecd387c905e9176bf141\",\"sha256Checksum\":\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:02:22.567Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:02:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4993fc49-66eb-5a74-8700-2b0bed24b796", "observed_start_time": "2021-09-16T23:02:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "41ce6a98-376a-408e-a126-14b22993139c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:02:22.586Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:22.567Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833", "2021-09-16T23:04:29.764Z", 21, "code42-exfil-share-datatype", "863d783444c0ecd387c905e9176bf141", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:02:22.586Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19f4f026-7d63-5465-9fc6-c1821bd52f8b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-767515fa-6d2b-54eb-b95a-d0ed62b96e67", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8ecbddf4-f6de-5532-b9a4-0c18b11274a2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:56:54.736Z 804e3b095828 Skyformation - 2768134485455653850 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 dproc=file events dtz=default-tenant end=1631833014736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:56:54.736Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:53.830Z ext_md5Checksum=d7bad10ef06efb58306cf290c0666440 ext_sharedWith=[] ext_sha256Checksum=158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:26.353681Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:56:54.736Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353681Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d7bad10ef06efb58306cf290c0666440\",\"sha256Checksum\":\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:56:53.830Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:56:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53659e52-f299-5197-b32b-1b8ec8f96d9d", "observed_start_time": "2021-09-16T22:56:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:56:54.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:53.830Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "d7bad10ef06efb58306cf290c0666440", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:56:54.736Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 8292696232025279500 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=3e524e400c05f8303ada6e81308853048f98951f fsize=348600 msg=Resource [Resource: file :: 3e524e400c05f8303ada6e81308853048f98951f] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=3e524e400c05f8303ada6e81308853048f98951f ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:53:42.201Z ext_md5Checksum=a41a0e7d69c8b117f5a841863ad4d765 ext_sharedWith=[] ext_sha256Checksum=ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=348600 ext_insertionTimestamp=2021-09-16T22:59:26.353728Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T09:53:42.064Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353728Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"3e524e400c05f8303ada6e81308853048f98951f\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":348600,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"a41a0e7d69c8b117f5a841863ad4d765\",\"sha256Checksum\":\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\",\"createTimestamp\":\"2021-09-15T09:53:42.064Z\",\"modifyTimestamp\":\"2021-09-15T09:53:42.201Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b141bf70-a77d-5e91-985f-804abf86f186", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "3e524e400c05f8303ada6e81308853048f98951f", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T09:53:42.201Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae", "2021-09-16T23:00:29.721Z", 348600, "code42-exfil-share-datatype", "a41a0e7d69c8b117f5a841863ad4d765", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T09:53:42.064Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19461a73-1623-57e1-9868-8316927e555a", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:53:34.592Z 804e3b095828 Skyformation - 5887001634145810066 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 dproc=file events dtz=default-tenant end=1631832814592 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:53:34.592Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:53:33.688Z ext_md5Checksum=984ffdd35a8b9587207b594e6a6391b5 ext_sharedWith=[] ext_sha256Checksum=d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:27.640048Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:53:34.592Z\",\"insertionTimestamp\":\"2021-09-16T22:54:27.640048Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"984ffdd35a8b9587207b594e6a6391b5\",\"sha256Checksum\":\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:53:33.688Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:53:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-719c033c-53b7-50ac-bf24-b8c674179635", "observed_start_time": "2021-09-16T22:53:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:53:34.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:53:33.688Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "984ffdd35a8b9587207b594e6a6391b5", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:53:34.592Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:01:54.338Z 804e3b095828 Skyformation - 5372332763298212826 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 dproc=file events dtz=default-tenant end=1631833314338 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:01:54.338Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:01:53.526Z ext_md5Checksum=88b43443da22c25cf6c00f8cd5c67b29 ext_sharedWith=[] ext_sha256Checksum=7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:49.223927Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:01:54.338Z\",\"insertionTimestamp\":\"2021-09-16T23:02:49.223927Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"88b43443da22c25cf6c00f8cd5c67b29\",\"sha256Checksum\":\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T23:01:53.526Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:01:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87711222-9004-58f2-8d70-d87870bdc475", "observed_start_time": "2021-09-16T23:01:54Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8f6040be-aa37-4fc3-8cb4-58d4974ba70b", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:01:54.338Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:01:53.526Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "88b43443da22c25cf6c00f8cd5c67b29", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T23:01:54.338Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-366d1237-2f8f-52da-b57a-6c5aeff7f553", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:00.340Z 804e3b095828 Skyformation - 101121762317961190 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 dproc=file events dtz=default-tenant end=1631832720340 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:00.340Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:59.527Z ext_md5Checksum=a5d9591d6f143c127c28abadbf112417 ext_sharedWith=[] ext_sha256Checksum=ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:59.169359Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:00.340Z\",\"insertionTimestamp\":\"2021-09-16T22:52:59.169359Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"a5d9591d6f143c127c28abadbf112417\",\"sha256Checksum\":\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:51:59.527Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b32701b6-d75d-5708-8872-225eb4b7fbd8", "observed_start_time": "2021-09-16T22:52:00Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:00.340Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:59.527Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "a5d9591d6f143c127c28abadbf112417", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:52:00.340Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-764e8852-01b4-5167-bee9-61f29e31602d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5d48b52e-0e61-5614-b642-183dc0ac545e", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2574907d-cae0-57cc-b985-8815cca5ac1d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-292bec71-c562-577a-a94f-ab54370603eb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1b62b73d-4074-5e2d-aed4-f833528c33c6", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6f1119de-1ca4-5c02-8a48-8d233b6c7f51", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9918c6d9-765e-5d8c-b914-bf67bca5fb25", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-aea8b0e5-235a-5595-8967-8fed89dcca7f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0357656e-2c0b-5454-97fc-aaff38ba6255", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 2046146408369861582 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=4447782c2756c6c447299d79a0e92f6950df5def fsize=3105208 msg=Resource [Resource: file :: 4447782c2756c6c447299d79a0e92f6950df5def] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=4447782c2756c6c447299d79a0e92f6950df5def ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T10:01:33.097Z ext_md5Checksum=3a09012f4a87abb2366ffbf8ca4b70ec ext_sharedWith=[] ext_sha256Checksum=0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3105208 ext_insertionTimestamp=2021-09-16T22:59:26.353746Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T10:01:32.918Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353746Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"4447782c2756c6c447299d79a0e92f6950df5def\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":3105208,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3a09012f4a87abb2366ffbf8ca4b70ec\",\"sha256Checksum\":\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\",\"createTimestamp\":\"2021-09-15T10:01:32.918Z\",\"modifyTimestamp\":\"2021-09-15T10:01:33.097Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6a55a80a-3597-5ff8-8362-b51c90225a52", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "4447782c2756c6c447299d79a0e92f6950df5def", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T10:01:33.097Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862", "2021-09-16T23:02:30.312Z", 3105208, "code42-exfil-share-datatype", "3a09012f4a87abb2366ffbf8ca4b70ec", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T10:01:32.918Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d06e6d6c-2bd7-559d-88b4-d7e4d1a89e9a", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-986981d1-b0c1-5463-b0d6-0f4ac3764bf2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32cf786a-b54f-5f06-8b5f-120a57ee31d5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4092231e-8015-5e72-93c4-007b94515cd6", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb0321a2-a87b-56fe-b5b5-20b9c02a89b4", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32ba2af3-2036-5524-8bbc-ace366ddd95d", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a5f54c34-5c36-5f79-9a0a-cd3443ceaf39", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f3d93fcd-248c-5cf5-b1e3-7ea6efaeb96e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:01.316Z 804e3b095828 Skyformation - 5313767959944003510 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 dproc=file events dtz=default-tenant end=1631832901316 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:01.316Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.503Z ext_md5Checksum=1ed9751c3a3a31efb6d268320a46952a ext_sharedWith=[] ext_sha256Checksum=8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:00.284722Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:01.316Z\",\"insertionTimestamp\":\"2021-09-16T22:56:00.284722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1ed9751c3a3a31efb6d268320a46952a\",\"sha256Checksum\":\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.503Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3ebf614-7a41-54e5-b9ad-6e8b032a6820", "observed_start_time": "2021-09-16T22:55:01Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:01.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:00.503Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "1ed9751c3a3a31efb6d268320a46952a", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T22:55:01.316Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2dfdd205-d548-557a-a188-7105930ba081", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:54.712Z 804e3b095828 Skyformation - 1972555328724139685 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 dproc=file events dtz=default-tenant end=1631832774712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:54.712Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:52:53.806Z ext_md5Checksum=352c6e242381d6d2fd656d2ffe3f05a9 ext_sharedWith=[] ext_sha256Checksum=97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:02.107014Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:54.712Z\",\"insertionTimestamp\":\"2021-09-16T22:54:02.107014Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"352c6e242381d6d2fd656d2ffe3f05a9\",\"sha256Checksum\":\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:52:53.806Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c4b7cfb-ff1f-59b1-93a0-91313fa71439", "observed_start_time": "2021-09-16T22:52:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:54.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:52:53.806Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "352c6e242381d6d2fd656d2ffe3f05a9", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:52:54.712Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53045a88-f6cf-5c78-9b45-7919c983dd54", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb1cd9ba-bcbf-5e7c-bff6-a1f16c9d579f", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:50:54.234Z 804e3b095828 Skyformation - 8299296745530260548 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 dproc=file events dtz=default-tenant end=1631832654234 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:50:54.234Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:50:53.422Z ext_md5Checksum=f9f18977a180437631eb8e969d503075 ext_sharedWith=[] ext_sha256Checksum=cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:51:57.205056Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:50:54.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:57.205056Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"f9f18977a180437631eb8e969d503075\",\"sha256Checksum\":\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T22:50:53.422Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:50:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4162539b-fbca-51cf-b6e4-0a6b26d39962", "observed_start_time": "2021-09-16T22:50:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:50:54.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:50:53.422Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022", "2021-09-16T22:52:32.764Z", 21, "code42-exfil-share-datatype", "f9f18977a180437631eb8e969d503075", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T22:50:54.234Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f011d516-96c8-5ad3-a4b0-533801bdca65", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5817d5a-4a72-58ec-81bc-5a28f291f095", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a05b4e8f-6202-5499-ba07-3718cf72c197", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0de864d-2900-5255-812e-84ad1269fe51", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72a3a626-c665-500e-8f8e-348475fffa7a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b94cad0a-dbae-50b0-8247-6f277b16ef62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4a0c230f-9717-5e9f-a713-a19dc76fff57", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-05bbd72b-3d43-546c-9d35-945d8f707e57", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-948e9f79-dc63-5056-aea8-c68e06874928", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591003e3-d294-5b92-b79e-0b8f876ef71a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9d71ceb9-5bd1-5f54-9ab2-e4c2b17d36ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d53d7240-3aa7-5101-93e4-21c54bf8057d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-76f5923e-90cb-5871-a068-f325c3b14df5", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44f8d201-58cc-59b9-97c3-f246c522fbbf", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "ip", "ctr_uuid": "2b62502c-3789-473e-82ed-1635c31f6ebb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d48070bb-5f27-5c2d-988d-60be6d9b5bf9", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0d1586a-980b-53db-a3bd-54d0da5b1f6c", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-688ee4c8-f77c-5f46-9836-4348af79eaac", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:00.388Z 804e3b095828 Skyformation - 828612858482025544 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 dproc=file events dtz=default-tenant end=1631833020388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:00.388Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:59.574Z ext_md5Checksum=8efa479f501fce555f0d148ed15700ff ext_sharedWith=[] ext_sha256Checksum=7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:23.763511Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:00.388Z\",\"insertionTimestamp\":\"2021-09-16T22:58:23.763511Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8efa479f501fce555f0d148ed15700ff\",\"sha256Checksum\":\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:56:59.574Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16c0c82f-103f-5735-8035-176b59587558", "observed_start_time": "2021-09-16T22:57:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "939e6101-de49-4225-a54a-08c9718d357c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:00.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:59.574Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "8efa479f501fce555f0d148ed15700ff", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:57:00.388Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6c6ba0d2-5cb7-5fb4-b8fa-b1ddcca2b916", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a06655bf-1d69-5734-9385-bedd69f54dde", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:45.200Z 804e3b095828 Skyformation - 4568069721930504518 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 dproc=file events dtz=default-tenant end=1631832945200 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:45.200Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:44.294Z ext_md5Checksum=443f8cb00cc5111045099941ed333760 ext_sharedWith=[] ext_sha256Checksum=0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:57.527022Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:45.200Z\",\"insertionTimestamp\":\"2021-09-16T22:56:57.527022Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"443f8cb00cc5111045099941ed333760\",\"sha256Checksum\":\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:55:44.294Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-88010803-a3bd-5c70-ad45-f8a8ff7c5250", "observed_start_time": "2021-09-16T22:55:45Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:45.200Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:44.294Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "443f8cb00cc5111045099941ed333760", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:55:45.200Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c11cb0c5-6ce6-53e6-990a-3db70bde087e", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-80f4bd35-8d77-5832-82bc-6e851b01ab6a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:00.461Z 804e3b095828 Skyformation - 4596085183447228781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 dproc=file events dtz=default-tenant end=1631833380461 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:00.461Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:59.649Z ext_md5Checksum=3466b521c7f5908415eda20dae617805 ext_sharedWith=[] ext_sha256Checksum=323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:49.475785Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:00.461Z\",\"insertionTimestamp\":\"2021-09-16T23:03:49.475785Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"3466b521c7f5908415eda20dae617805\",\"sha256Checksum\":\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T23:02:59.649Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e0b6d27-4e43-591e-bfda-6a6ab3f6874a", "observed_start_time": "2021-09-16T23:03:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "acc3331d-c05a-44d1-b1e8-276faa688494", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:00.461Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:59.649Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "3466b521c7f5908415eda20dae617805", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T23:03:00.461Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25c017fd-4f45-5914-beb2-bc15656fec2f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-faf386d2-1897-5faa-9341-f6a5fc3c9de2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:51:23.336Z 804e3b095828 Skyformation - 869866733287153498 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 dproc=file events dtz=default-tenant end=1631832683336 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:51:23.336Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:22.415Z ext_md5Checksum=1a91631bf8b9e8f8eebc32c23d289b00 ext_sharedWith=[] ext_sha256Checksum=528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:47.736678Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:51:23.336Z\",\"insertionTimestamp\":\"2021-09-16T22:52:47.736678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1a91631bf8b9e8f8eebc32c23d289b00\",\"sha256Checksum\":\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:51:22.415Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:51:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-906a35f1-be54-5c29-beb5-915c1a319598", "observed_start_time": "2021-09-16T22:51:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:51:23.336Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:22.415Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad", "2021-09-16T22:54:30.602Z", 21, "code42-exfil-share-datatype", "1a91631bf8b9e8f8eebc32c23d289b00", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:51:23.336Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3de744ae-c05b-5cad-b8ba-bf2e42b878c5", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3e1bc410-3631-5811-9b1f-f5830fe141bf", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f6806eb-5784-52b4-93cd-fa869fedf5ed", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d31e6464-3207-5c61-87e3-a41b36564185", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c9f0fbfb-5ab6-542b-a192-b8fd98e410f9", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:01.360Z 804e3b095828 Skyformation - 3885683649781971647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 dproc=file events dtz=default-tenant end=1631833201360 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:01.360Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:00.548Z ext_md5Checksum=6ef406323b86ee9fc610e512e565eceb ext_sharedWith=[] ext_sha256Checksum=a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:01:26.761677Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:01.360Z\",\"insertionTimestamp\":\"2021-09-16T23:01:26.761677Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"6ef406323b86ee9fc610e512e565eceb\",\"sha256Checksum\":\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T23:00:00.548Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5131dad-59b7-5e9c-af0c-bd9880bf8180", "observed_start_time": "2021-09-16T23:00:01Z", "count": 1, "observable_type": "ip", "ctr_uuid": "82ff18f9-a2f2-468e-b769-864955bf9f94", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:01.360Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:00.548Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "6ef406323b86ee9fc610e512e565eceb", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T23:00:01.360Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7debce1-3ffd-50ca-b4dd-86c49407a4b2", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:53.518Z 804e3b095828 Skyformation - 9157518344019267215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 dproc=file events dtz=default-tenant end=1631833253518 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:53.518Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:52.603Z ext_md5Checksum=07123ecb22ebf61f593efe09b307cb58 ext_sharedWith=[] ext_sha256Checksum=6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:35.401169Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:53.518Z\",\"insertionTimestamp\":\"2021-09-16T23:02:35.401169Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"07123ecb22ebf61f593efe09b307cb58\",\"sha256Checksum\":\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T23:00:52.603Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61484_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f0674ff-844f-5bef-96fa-3838e5680bbb", "observed_start_time": "2021-09-16T23:00:53Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8b4565a6-1f89-498b-bd58-e2b514f127a1", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:53.518Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:52.603Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "07123ecb22ebf61f593efe09b307cb58", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T23:00:53.518Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e2f84dc5-c14e-5c9e-8387-08f1c5f04b0d", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df2ba03f-9021-5a29-9af0-4d748fd81b32", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:58:45.240Z 804e3b095828 Skyformation - 1503382521195344208 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 dproc=file events dtz=default-tenant end=1631833125240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:58:45.240Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:58:44.334Z ext_md5Checksum=4d815e327303356a651e8f6309dbddb2 ext_sharedWith=[] ext_sha256Checksum=44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:23.643528Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:58:45.240Z\",\"insertionTimestamp\":\"2021-09-16T23:02:23.643528Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4d815e327303356a651e8f6309dbddb2\",\"sha256Checksum\":\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:58:44.334Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:58:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c9475b8-bc10-5f3a-a528-b8a5ae119847", "observed_start_time": "2021-09-16T22:58:45Z", "count": 1, "observable_type": "ip", "ctr_uuid": "ac383ed4-03ef-4ca4-ab67-7192058fdf33", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:58:45.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:58:44.334Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e", "2021-09-16T23:04:29.763Z", 21, "code42-exfil-share-datatype", "4d815e327303356a651e8f6309dbddb2", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:58:45.240Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb0c66e8-84ad-581a-9f9a-25cebb09004f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dd407cc3-3f46-5b52-b2e8-65ebc0e516ed", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:22.644Z 804e3b095828 Skyformation - 273274590069601610 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 dproc=file events dtz=default-tenant end=1631833402644 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:22.644Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:03:22.573Z ext_md5Checksum=b65499280f2f8d7b7151a3fa44c0a24f ext_sharedWith=[] ext_sha256Checksum=417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:09:05.264820Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:22.644Z\",\"insertionTimestamp\":\"2021-09-16T23:09:05.264820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"b65499280f2f8d7b7151a3fa44c0a24f\",\"sha256Checksum\":\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:03:22.573Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72310698-525a-5a66-a3ee-20a1deca64d3", "observed_start_time": "2021-09-16T23:03:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "78ece332-023a-4318-975d-a6c6d25a3ffb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:22.644Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:03:22.573Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "b65499280f2f8d7b7151a3fa44c0a24f", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:03:22.644Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3a79e39-11d3-53f1-b007-2ec9ea47ae64", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb6020cb-fa6b-58ab-9a08-8c624a73ee5b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "5ae96ef1-5cbf-4007-b97f-f25fa5da8d0c", "observable": {"key": "7dddf0ad-0f0d-44da-b109-ae4251e920c5", "value": "162.222.47.183", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f5f1e5c6", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "ip", "value": "162.222.47.183"}, "type": "warning", "action_id": "84f9c555-287e-4ed0-9caf-8ff5f23a21dc", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "162.222.47.183", "id": "f5f1e5c6", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.231Z 804e3b095828 Skyformation - 2570324659148337624 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520231 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5DBus.dll fsize=437624 msg=Resource [Resource: file :: Qt5DBus.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.231Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5DBus.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.354Z ext_md5Checksum=d10cb4ac9a26d6350f1079399351e9d3 ext_sharedWith=[] ext_sha256Checksum=ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=437624 ext_insertionTimestamp=2021-09-16T22:51:22.314459Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.238Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_22\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.231Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314459Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5DBus.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":437624,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"d10cb4ac9a26d6350f1079399351e9d3\",\"sha256Checksum\":\"ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8\",\"createTimestamp\":\"2021-09-08T09:32:15.238Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.354Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-ccea10ce-60a9-516a-adc2-ab30852b2b65", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.231Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5DBus.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.354Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac4feb3d27327b3723ad8c55777e51d4a1ca361232163419d2ef2e2264ae16f8", "2021-09-16T22:52:32.760Z", 437624, "code42-exfil-share-datatype", "d10cb4ac9a26d6350f1079399351e9d3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.231Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.238Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.331Z 804e3b095828 Skyformation - 7147350242940381794 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507331 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Office.UI.Xaml.Core.winmd fsize=20280 msg=Resource [Resource: file :: Office.UI.Xaml.Core.winmd] was deleted by [darnell.waters@c42se.com] proto=winmd requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.331Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Office.UI.Xaml.Core.winmd ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:54.439Z ext_md5Checksum=d16aec0e28a5f509a04722edf62e01eb ext_sharedWith=[] ext_sha256Checksum=c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20280 ext_insertionTimestamp=2021-09-16T22:51:15.337467Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_538\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.331Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337467Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"Office.UI.Xaml.Core.winmd\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":20280,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d16aec0e28a5f509a04722edf62e01eb\",\"sha256Checksum\":\"c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:54.439Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6af36d6f-8b1a-53f4-b011-92aea968dc13", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.331Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "Office.UI.Xaml.Core.winmd", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:54.439Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "c79921fa5bb41994b9cbbc5e45ba0e81d010e5455e950d6a334a4a931ab571d7", "2021-09-16T22:52:32.764Z", 20280, "code42-exfil-share-datatype", "d16aec0e28a5f509a04722edf62e01eb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.331Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.316Z 804e3b095828 Skyformation - 2753694102657169032 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501316 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=36240 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.316Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.349Z ext_md5Checksum=e2dd338ceac0daebdfdf99d72e40fd80 ext_sharedWith=[] ext_sha256Checksum=60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=36240 ext_insertionTimestamp=2021-09-16T22:51:15.336422Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_401\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.316Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336422Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":36240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e2dd338ceac0daebdfdf99d72e40fd80\",\"sha256Checksum\":\"60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.349Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-46a69277-670c-5a04-a296-4ce39a3e0361", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.349Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "60428cbfa81ae66e5fd2551a7278572c98f4b25e936e15e99fc8663a96c1cb34", "2021-09-16T22:52:32.761Z", 36240, "code42-exfil-share-datatype", "e2dd338ceac0daebdfdf99d72e40fd80", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hant/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.316Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.292Z 804e3b095828 Skyformation - 7248080604647656713 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499292 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.resources.dll fsize=355192 msg=Resource [Resource: file :: System.Windows.Forms.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.292Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.301Z ext_md5Checksum=47613e3bfa408b3299c04d0df45433ba ext_sharedWith=[] ext_sha256Checksum=8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=355192 ext_insertionTimestamp=2021-09-16T22:51:15.335127Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_257\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.292Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335127Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Forms.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":355192,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47613e3bfa408b3299c04d0df45433ba\",\"sha256Checksum\":\"8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.301Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-22383b2e-6dd0-5329-baf0-9074acc3b3a0", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.292Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.301Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8906a56382f6c1a46718c8a1c77fec31252a886a7c4cc2edee31a64c6a19e6b5", "2021-09-16T22:52:32.763Z", 355192, "code42-exfil-share-datatype", "47613e3bfa408b3299c04d0df45433ba", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.292Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.285Z 804e3b095828 Skyformation - 4486167823222473202 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502285 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Json.dll fsize=293248 msg=Resource [Resource: file :: System.Text.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.285Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=64efa1bfed847afd252e7af274648474 ext_sharedWith=[] ext_sha256Checksum=d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=293248 ext_insertionTimestamp=2021-09-16T22:51:15.337054Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_474\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.285Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337054Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":293248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"64efa1bfed847afd252e7af274648474\",\"sha256Checksum\":\"d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-523329ab-5b5f-5357-a64e-8ae0ce7f5456", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.285Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "d2608254043e5b19f6e8335569fc2dd72ae4ce11a3df0d3f1425ac158df93237", "2021-09-16T22:52:32.764Z", 293248, "code42-exfil-share-datatype", "64efa1bfed847afd252e7af274648474", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.285Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.258Z 804e3b095828 Skyformation - 7467897017173440831 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14200 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.926Z ext_md5Checksum=6b163d1438afbe087bb895d76ea393e7 ext_sharedWith=[] ext_sha256Checksum=737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14200 ext_insertionTimestamp=2021-09-16T22:51:15.335653Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_317\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335653Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6b163d1438afbe087bb895d76ea393e7\",\"sha256Checksum\":\"737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.926Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3a1fee14-256f-510f-aced-1bf23fb968cd", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.926Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "737376e2a6e68e8a3038faad332fe475666ba4e824234851642f5ef3a4db2da3", "2021-09-16T22:52:32.760Z", 14200, "code42-exfil-share-datatype", "6b163d1438afbe087bb895d76ea393e7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.105Z 804e3b095828 Skyformation - 95249169800085206 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502105 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=DotNetty.Transport.dll fsize=254464 msg=Resource [Resource: file :: DotNetty.Transport.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.105Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=DotNetty.Transport.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.044Z ext_md5Checksum=4a67dcf64aab4980b9bd9fb623cc7242 ext_sharedWith=[] ext_sha256Checksum=c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=254464 ext_insertionTimestamp=2021-09-16T22:51:15.336624Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_425\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.105Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336624Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"DotNetty.Transport.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":254464,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"4a67dcf64aab4980b9bd9fb623cc7242\",\"sha256Checksum\":\"c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.044Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-13a0b29e-3db3-522a-a911-be3d684f1f07", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.105Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "DotNetty.Transport.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.044Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c64210dc882c6d69c2f52bd3a0d50b684c658fd4b687967baa315cdbe2ea10a4", "2021-09-16T22:52:32.765Z", 254464, "code42-exfil-share-datatype", "4a67dcf64aab4980b9bd9fb623cc7242", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.105Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.281Z 804e3b095828 Skyformation - 5969833629054147676 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Text.Encodings.Web.dll fsize=59768 msg=Resource [Resource: file :: System.Text.Encodings.Web.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Text.Encodings.Web.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.215Z ext_md5Checksum=2e2490a823b4a3d290a98d0371d199ed ext_sharedWith=[] ext_sha256Checksum=09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=59768 ext_insertionTimestamp=2021-09-16T22:51:15.337045Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_473\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337045Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Text.Encodings.Web.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":59768,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2e2490a823b4a3d290a98d0371d199ed\",\"sha256Checksum\":\"09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.215Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bdd0dfb1-55f1-5bbd-85ab-d589623e4230", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Text.Encodings.Web.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.215Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "09f7d7e7f98be4c21c4dba8c3be7bf9516dbae6dddfb1b827188a9bd874c6724", "2021-09-16T22:52:32.766Z", 59768, "code42-exfil-share-datatype", "2e2490a823b4a3d290a98d0371d199ed", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.206Z 804e3b095828 Skyformation - 6920872088163377138 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=vcruntime140_cor3.dll fsize=97160 msg=Resource [Resource: file :: vcruntime140_cor3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=vcruntime140_cor3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.958Z ext_md5Checksum=18049f6811fc0f94547189a9e104f5d2 ext_sharedWith=[] ext_sha256Checksum=c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=97160 ext_insertionTimestamp=2021-09-16T22:51:15.336218Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.611Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_378\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336218Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"vcruntime140_cor3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":97160,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"18049f6811fc0f94547189a9e104f5d2\",\"sha256Checksum\":\"c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db\",\"createTimestamp\":\"2021-08-18T09:55:42.611Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.958Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d559-f724-5f37-9187-9d037f75fda3", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "vcruntime140_cor3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.958Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db", "2021-09-16T22:52:32.762Z", 97160, "code42-exfil-share-datatype", "18049f6811fc0f94547189a9e104f5d2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.611Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.161Z 804e3b095828 Skyformation - 6947904993943323609 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499161 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17784 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.161Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.176Z ext_md5Checksum=981e3dd612e3d93ba10c54e46d378aa5 ext_sharedWith=[] ext_sha256Checksum=2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17784 ext_insertionTimestamp=2021-09-16T22:51:15.334894Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.190Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_233\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.161Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334894Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"981e3dd612e3d93ba10c54e46d378aa5\",\"sha256Checksum\":\"2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0\",\"createTimestamp\":\"2021-08-18T09:55:42.190Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.176Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6fb7d7f8-f5f2-572a-97f2-cc3be5dd47f1", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.161Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.176Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2c3e5f7844f558ae5ac03393ea4aff2168c9220efcc76433878fdb4adf6c9ce0", "2021-09-16T22:52:32.762Z", 17784, "code42-exfil-share-datatype", "981e3dd612e3d93ba10c54e46d378aa5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ja/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.161Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.190Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.128Z 804e3b095828 Skyformation - 8424454916015673653 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520128 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSyncTelemetryExtensions.dll fsize=71544 msg=Resource [Resource: file :: FileSyncTelemetryExtensions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.128Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSyncTelemetryExtensions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.405Z ext_md5Checksum=faaf9d982dbaa8ab547098f1fb6abc81 ext_sharedWith=[] ext_sha256Checksum=bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=71544 ext_insertionTimestamp=2021-09-16T22:51:15.337977Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.402Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_995\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.128Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337977Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSyncTelemetryExtensions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":71544,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"faaf9d982dbaa8ab547098f1fb6abc81\",\"sha256Checksum\":\"bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239\",\"createTimestamp\":\"2021-09-08T09:32:13.402Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.405Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1f33d210-e0ea-5ac6-bb07-7a447613b190", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.128Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSyncTelemetryExtensions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.405Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "bc36466fcf4a8daa78bb93c2bf04ad9f98d91b5bd776d38f6b2fd4624e219239", "2021-09-16T22:52:32.759Z", 71544, "code42-exfil-share-datatype", "faaf9d982dbaa8ab547098f1fb6abc81", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.128Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.402Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.172Z 804e3b095828 Skyformation - 5590696252164994345 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502172 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Binder.dll fsize=24952 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Binder.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.172Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Binder.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=f97d210b3ede360f920e2b1d5b702d6b ext_sharedWith=[] ext_sha256Checksum=11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=24952 ext_insertionTimestamp=2021-09-16T22:51:15.336782Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_443\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.172Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336782Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Binder.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":24952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f97d210b3ede360f920e2b1d5b702d6b\",\"sha256Checksum\":\"11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-40aa9339-7c7b-54de-9324-9377e056d4e2", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.172Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Binder.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "11e50f75a7b7c4cf35b76e6463ea2061db4d3b53166f1cbb8b3be6541964e1e4", "2021-09-16T22:52:32.763Z", 24952, "code42-exfil-share-datatype", "f97d210b3ede360f920e2b1d5b702d6b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.172Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.191Z 804e3b095828 Skyformation - 1238643688135827114 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503191 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=e_sqlite3.dll fsize=870400 msg=Resource [Resource: file :: e_sqlite3.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.191Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=e_sqlite3.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-08-20T09:07:05.686Z ext_md5Checksum=6844e4b40c797e392e1dddcfae0b8dd4 ext_sharedWith=[] ext_sha256Checksum=b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=870400 ext_insertionTimestamp=2021-09-16T22:51:15.337203Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T09:07:00.718Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_495\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.191Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337203Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/\",\"fileName\":\"e_sqlite3.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":870400,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6844e4b40c797e392e1dddcfae0b8dd4\",\"sha256Checksum\":\"b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1\",\"createTimestamp\":\"2020-08-20T09:07:00.718Z\",\"modifyTimestamp\":\"2020-08-20T09:07:05.686Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9125605f-1264-5799-9b5e-5b14abd34ad1", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.191Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "e_sqlite3.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-08-20T09:07:05.686Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b15ef8bf60d419066146c6d4686d98073b462ee32b7353a48af5853543ac5ae1", "2021-09-16T22:52:32.766Z", 870400, "code42-exfil-share-datatype", "6844e4b40c797e392e1dddcfae0b8dd4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/runtimes/win-arm/native/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.191Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-08-20T09:07:00.718Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.280Z 804e3b095828 Skyformation - 1081199069424922835 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500280 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.280Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.991Z ext_md5Checksum=dc434cced48beee1b8f867474c5cc33d ext_sharedWith=[] ext_sha256Checksum=1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335704Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.599Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_323\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.280Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335704Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"dc434cced48beee1b8f867474c5cc33d\",\"sha256Checksum\":\"1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6\",\"createTimestamp\":\"2021-09-09T09:44:28.599Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.991Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-66391315-46a4-5cd5-8e36-797ce685401a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.280Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.991Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b176824882163dcadaf8e296adc08638746c28c5019b1ff3e731dbee44606e6", "2021-09-16T22:52:32.765Z", 26112, "code42-exfil-share-datatype", "dc434cced48beee1b8f867474c5cc33d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-ploc/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.280Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.599Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:54:34.612Z 804e3b095828 Skyformation - 6165243996888775860 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 dproc=file events dtz=default-tenant end=1631832874612 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:54:34.612Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:54:33.697Z ext_md5Checksum=d4d35cde3d316ed4aeedf61797ae50a4 ext_sharedWith=[] ext_sha256Checksum=4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:52.367764Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025231494642652195_53\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:54:34.612Z\",\"insertionTimestamp\":\"2021-09-16T22:59:52.367764Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d4d35cde3d316ed4aeedf61797ae50a4\",\"sha256Checksum\":\"4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:54:33.697Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:54:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a6622b12-9210-5391-b7a2-fb37b77d2330", "observed_start_time": "2021-09-16T22:54:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:54:34.612Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:54:33.697Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "4ef24f870d8e97eeb82117ae1c82779805ba64004730d6eccdfdef89c6ef546b", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "d4d35cde3d316ed4aeedf61797ae50a4", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:54:34.612Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.100Z 804e3b095828 Skyformation - 4352421534572567280 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508100 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msointlimm.dll fsize=377184 msg=Resource [Resource: file :: msointlimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.100Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msointlimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:50.699Z ext_md5Checksum=99d060c13d92442ea518ad6c13305532 ext_sharedWith=[] ext_sha256Checksum=47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=377184 ext_insertionTimestamp=2021-09-16T22:51:15.337625Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.887Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_561\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.100Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337625Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/\",\"fileName\":\"msointlimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":377184,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"99d060c13d92442ea518ad6c13305532\",\"sha256Checksum\":\"47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191\",\"createTimestamp\":\"2021-08-23T09:31:49.887Z\",\"modifyTimestamp\":\"2021-08-23T09:31:50.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-49473a25-b7cc-50fd-a762-72b81b536667", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.100Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msointlimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:50.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "47e088c44c55ce504839d70fe83f9c58eb5a98ed0a7995b87f00053206a4a191", "2021-09-16T22:52:32.765Z", 377184, "code42-exfil-share-datatype", "99d060c13d92442ea518ad6c13305532", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/en-us/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.100Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.887Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.262Z 804e3b095828 Skyformation - 147303360723066396 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524262 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msipc.dll fsize=3022712 msg=Resource [Resource: file :: msipc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.262Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msipc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.519Z ext_md5Checksum=dcd150947325c51dc49af1c568e76466 ext_sharedWith=[] ext_sha256Checksum=7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3022712 ext_insertionTimestamp=2021-09-16T22:51:22.315284Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.484Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_333\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.262Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315284Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"msipc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":3022712,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"dcd150947325c51dc49af1c568e76466\",\"sha256Checksum\":\"7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1\",\"createTimestamp\":\"2021-09-08T09:32:14.484Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.519Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9e30b314-9ee6-5218-b163-313d2a5bb546", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msipc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.519Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "7c6cf49aeefc3cec8a88382cb930be04999ce5fcc4bace911796edfd86dd91f1", "2021-09-16T22:52:32.766Z", 3022712, "code42-exfil-share-datatype", "dcd150947325c51dc49af1c568e76466", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.262Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.484Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:23.419Z 804e3b095828 Skyformation - 7013019646501643272 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 dproc=file events dtz=default-tenant end=1631833043419 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:23.419Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:57:22.503Z ext_md5Checksum=8ea299414f16148eb8517e478d71f64c ext_sharedWith=[] ext_sha256Checksum=e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:13.330998Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231327245014925_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:23.419Z\",\"insertionTimestamp\":\"2021-09-16T22:58:13.330998Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8ea299414f16148eb8517e478d71f64c\",\"sha256Checksum\":\"e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:57:22.503Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-39144912-bbfc-507f-a580-4c709660d4b3", "observed_start_time": "2021-09-16T22:57:23Z", "count": 1, "observable_type": "ip", "ctr_uuid": "a1f10421-bd33-4f50-8324-f03652392c01", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:23.419Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:57:22.503Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "e7528395793c1106d4dc2e946774fdc8b2024996e891d41c7efb902dddb1f92e", "2021-09-16T23:00:29.720Z", 21, "code42-exfil-share-datatype", "8ea299414f16148eb8517e478d71f64c", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:57:23.419Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:53.470Z 804e3b095828 Skyformation - 8757910183166367699 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 dproc=file events dtz=default-tenant end=1631832953470 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:53.470Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:52.553Z ext_md5Checksum=42095b3368e04ec563ae3cc508cf7b0b ext_sharedWith=[] ext_sha256Checksum=7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:57:12.133407Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231223697001210_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:53.470Z\",\"insertionTimestamp\":\"2021-09-16T22:57:12.133407Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"42095b3368e04ec563ae3cc508cf7b0b\",\"sha256Checksum\":\"7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T22:55:52.553Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6cc5937c-087a-5124-b1d8-ee04a483a05a", "observed_start_time": "2021-09-16T22:55:53Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:53.470Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:52.553Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "7d4705f4c73df3954d5f05b95909bca76ba9fd7ed22857f1f28ede3d22dbc62a", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "42095b3368e04ec563ae3cc508cf7b0b", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T22:55:53.470Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.102Z 804e3b095828 Skyformation - 5153937256773059965 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501102 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=31744 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.102Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.054Z ext_md5Checksum=88d5e6253dcb376fb076c87713b3628e ext_sharedWith=[] ext_sha256Checksum=1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=31744 ext_insertionTimestamp=2021-09-16T22:51:15.335997Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.614Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_353\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.102Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335997Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":31744,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"88d5e6253dcb376fb076c87713b3628e\",\"sha256Checksum\":\"1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a\",\"createTimestamp\":\"2021-09-09T09:44:28.614Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.054Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4d5460d1-da05-5833-8d33-4461a20b887c", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.102Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.054Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1b591e15452f11cd2a3f6f676a0f8b1b954b34f1bb254ea6f7257b254c0b8a7a", "2021-09-16T22:52:32.766Z", 31744, "code42-exfil-share-datatype", "88d5e6253dcb376fb076c87713b3628e", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/te-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.102Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.614Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.090Z 804e3b095828 Skyformation - 208873743742055873 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500090 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=19968 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.090Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.950Z ext_md5Checksum=b2f71614b51575b117cfa4356d851423 ext_sharedWith=[] ext_sha256Checksum=b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=19968 ext_insertionTimestamp=2021-09-16T22:51:15.335347Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.589Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_282\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.090Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335347Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":19968,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b2f71614b51575b117cfa4356d851423\",\"sha256Checksum\":\"b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b\",\"createTimestamp\":\"2021-09-09T09:44:28.589Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.950Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9c09f4e8-150f-5f53-ba71-50de875db6f2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.090Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.950Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b14e2726789b43ddcab10a5357146c3b843c0ae7ee09ca23d66647d71b85ee6b", "2021-09-16T22:52:32.761Z", 19968, "code42-exfil-share-datatype", "b2f71614b51575b117cfa4356d851423", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/nb-NO/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.090Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.589Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.168Z 804e3b095828 Skyformation - 7653577374012100116 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502168 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Configuration.Abstractions.dll fsize=21368 msg=Resource [Resource: file :: Microsoft.Extensions.Configuration.Abstractions.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.168Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Configuration.Abstractions.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.870Z ext_md5Checksum=e1c8f3a5d41fd162943613952097db8b ext_sharedWith=[] ext_sha256Checksum=306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21368 ext_insertionTimestamp=2021-09-16T22:51:15.336774Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.771Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_442\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.168Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336774Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Configuration.Abstractions.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":21368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1c8f3a5d41fd162943613952097db8b\",\"sha256Checksum\":\"306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732\",\"createTimestamp\":\"2021-08-26T09:51:56.771Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-30ad332e-3cc8-5056-9b47-f6c67e1be5ad", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.168Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Configuration.Abstractions.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "306824b2585eb493ee7954e83af92d0b22885987985336581dfeff65900dc732", "2021-09-16T22:52:32.765Z", 21368, "code42-exfil-share-datatype", "e1c8f3a5d41fd162943613952097db8b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.168Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.771Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:02:22.586Z 804e3b095828 Skyformation - 166520060466349731 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 dproc=file events dtz=default-tenant end=1631833342586 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:02:22.586Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:22.567Z ext_md5Checksum=863d783444c0ecd387c905e9176bf141 ext_sharedWith=[] ext_sha256Checksum=fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:40.014640Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025231872672307085_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:02:22.586Z\",\"insertionTimestamp\":\"2021-09-16T23:03:40.014640Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"863d783444c0ecd387c905e9176bf141\",\"sha256Checksum\":\"fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:02:22.567Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:02:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_3_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_3_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4993fc49-66eb-5a74-8700-2b0bed24b796", "observed_start_time": "2021-09-16T23:02:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "41ce6a98-376a-408e-a126-14b22993139c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:02:22.586Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:22.567Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "fd3b1e52d31a45732670283b1f1005e7866fff11ab9b2f4208f8510c49875833", "2021-09-16T23:04:29.764Z", 21, "code42-exfil-share-datatype", "863d783444c0ecd387c905e9176bf141", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:02:22.586Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.190Z 804e3b095828 Skyformation - 4038134318878572665 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502190 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Logging.dll fsize=34168 msg=Resource [Resource: file :: Microsoft.Extensions.Logging.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.190Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Logging.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=47d7a055ee7672f9b54ba629da07a6a3 ext_sharedWith=[] ext_sha256Checksum=64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=34168 ext_insertionTimestamp=2021-09-16T22:51:15.336835Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_449\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.190Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336835Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Logging.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":34168,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"47d7a055ee7672f9b54ba629da07a6a3\",\"sha256Checksum\":\"64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19f4f026-7d63-5465-9fc6-c1821bd52f8b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.190Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Logging.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64faba07f3a22d2ba5c2ec7b60b5f1fcd8a121b8f10666c34228c97a658d868c", "2021-09-16T22:52:32.766Z", 34168, "code42-exfil-share-datatype", "47d7a055ee7672f9b54ba629da07a6a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.190Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.350Z 804e3b095828 Skyformation - 3319958265666143926 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507350 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=TextEntityExtractorProxy.dll fsize=638976 msg=Resource [Resource: file :: TextEntityExtractorProxy.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.350Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=TextEntityExtractorProxy.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:55.205Z ext_md5Checksum=f8af1754c0bdb86deb1f68930784d580 ext_sharedWith=[] ext_sha256Checksum=3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=638976 ext_insertionTimestamp=2021-09-16T22:51:15.337538Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.199Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_546\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.350Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337538Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"TextEntityExtractorProxy.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":638976,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f8af1754c0bdb86deb1f68930784d580\",\"sha256Checksum\":\"3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab\",\"createTimestamp\":\"2021-08-23T09:31:50.199Z\",\"modifyTimestamp\":\"2021-08-23T09:31:55.205Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-767515fa-6d2b-54eb-b95a-d0ed62b96e67", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.350Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "TextEntityExtractorProxy.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:55.205Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3c4683045b4587497faa69ab44ff1bd24b34972eea58492b2889a862e8d205ab", "2021-09-16T22:52:32.767Z", 638976, "code42-exfil-share-datatype", "f8af1754c0bdb86deb1f68930784d580", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.350Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.199Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.309Z 804e3b095828 Skyformation - 2676420173641881727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507309 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxOutlook.exe fsize=1439232 msg=Resource [Resource: file :: HxOutlook.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.309Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxOutlook.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.168Z ext_md5Checksum=845c649d20d35fc78fbab0c0d9ec5ec6 ext_sharedWith=[] ext_sha256Checksum=f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1439232 ext_insertionTimestamp=2021-09-16T22:51:15.337398Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_530\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.309Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337398Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxOutlook.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1439232,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"845c649d20d35fc78fbab0c0d9ec5ec6\",\"sha256Checksum\":\"f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.168Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-8ecbddf4-f6de-5532-b9a4-0c18b11274a2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.309Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxOutlook.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.168Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f859f1275a70e04795f0f36a79c6fc6fb0afd20493ed73029f89ba740bdf057a", "2021-09-16T22:52:32.761Z", 1439232, "code42-exfil-share-datatype", "845c649d20d35fc78fbab0c0d9ec5ec6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.309Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:56:54.736Z 804e3b095828 Skyformation - 2768134485455653850 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 dproc=file events dtz=default-tenant end=1631833014736 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:56:54.736Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:53.830Z ext_md5Checksum=d7bad10ef06efb58306cf290c0666440 ext_sharedWith=[] ext_sha256Checksum=158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:59:26.353681Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_11\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:56:54.736Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353681Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"d7bad10ef06efb58306cf290c0666440\",\"sha256Checksum\":\"158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:56:53.830Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:56:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_12_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_12_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53659e52-f299-5197-b32b-1b8ec8f96d9d", "observed_start_time": "2021-09-16T22:56:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:56:54.736Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:53.830Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "158381d2962d8c755aa742ca05a9690fab3122b2e811a9fca9bcd5af2cf50fba", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "d7bad10ef06efb58306cf290c0666440", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:56:54.736Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 8292696232025279500 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=3e524e400c05f8303ada6e81308853048f98951f fsize=348600 msg=Resource [Resource: file :: 3e524e400c05f8303ada6e81308853048f98951f] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=3e524e400c05f8303ada6e81308853048f98951f ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:53:42.201Z ext_md5Checksum=a41a0e7d69c8b117f5a841863ad4d765 ext_sharedWith=[] ext_sha256Checksum=ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=348600 ext_insertionTimestamp=2021-09-16T22:59:26.353728Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T09:53:42.064Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_33\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353728Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"3e524e400c05f8303ada6e81308853048f98951f\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":348600,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"a41a0e7d69c8b117f5a841863ad4d765\",\"sha256Checksum\":\"ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae\",\"createTimestamp\":\"2021-09-15T09:53:42.064Z\",\"modifyTimestamp\":\"2021-09-15T09:53:42.201Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b141bf70-a77d-5e91-985f-804abf86f186", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "3e524e400c05f8303ada6e81308853048f98951f", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T09:53:42.201Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "ccabd030e8177d7cc6875cfffdc7137ead41ff357f00c7bc96d21d15d8e524ae", "2021-09-16T23:00:29.721Z", 348600, "code42-exfil-share-datatype", "a41a0e7d69c8b117f5a841863ad4d765", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T09:53:42.064Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.158Z 804e3b095828 Skyformation - 2445601142342497189 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-conio-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-crt-conio-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-conio-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.790Z ext_md5Checksum=c61e3c9099cc2b143cc93bf26ac01d34 ext_sharedWith=[] ext_sha256Checksum=24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314982Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.790Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_94\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314982Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-conio-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c61e3c9099cc2b143cc93bf26ac01d34\",\"sha256Checksum\":\"24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc\",\"createTimestamp\":\"2021-09-08T09:32:11.790Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.790Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-19461a73-1623-57e1-9868-8316927e555a", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-conio-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.790Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "24a0ad9826b7af5fae6a784a59a8a4b390454cccd7481424c234b18bf6b1e3cc", "2021-09-16T22:52:32.763Z", 12664, "code42-exfil-share-datatype", "c61e3c9099cc2b143cc93bf26ac01d34", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.790Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:53:34.592Z 804e3b095828 Skyformation - 5887001634145810066 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 dproc=file events dtz=default-tenant end=1631832814592 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=sean.cassidy@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:dc69:39c4:789f:1fa6%eth4 ext_filePath=C:/Users/sean.cassidy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:53:34.592Z ext_fileClassifications=[] ext_userUid=887050325252344565 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=983156854068078725 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.65.56 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=sean.cassidy ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:53:33.688Z ext_md5Checksum=984ffdd35a8b9587207b594e6a6391b5 ext_sharedWith=[] ext_sha256Checksum=d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e ext_exposure=[] ext_privateIpAddresses_2_=127.0.0.1 ext_fileCategoryByBytes=Document ext_deviceUserName=sean.cassidy@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:27.640048Z ext_domainName=SEANC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-03-23T20:49:51.288Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=SEANC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_983156854068078725_1025230947655078947_63\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:53:34.592Z\",\"insertionTimestamp\":\"2021-09-16T22:54:27.640048Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/sean.cassidy/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"984ffdd35a8b9587207b594e6a6391b5\",\"sha256Checksum\":\"d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e\",\"createTimestamp\":\"2020-03-23T20:49:51.288Z\",\"modifyTimestamp\":\"2021-09-16T22:53:33.688Z\",\"deviceUserName\":\"sean.cassidy@c42se.com\",\"osHostName\":\"SEANC-OFFICIAL-\",\"domainName\":\"SEANC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:dc69:39c4:789f:1fa6%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\",\"172.20.65.56\"],\"deviceUid\":\"983156854068078725\",\"userUid\":\"887050325252344565\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"sean.cassidy\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:53:34Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-719c033c-53b7-50ac-bf24-b8c674179635", "observed_start_time": "2021-09-16T22:53:34Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:53:34.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "SEANC-OFFICIAL-", "SEANC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:53:33.688Z", "text/plain", "MODIFIED", "162.222.47.183", "sean.cassidy", "d917331d7d216dcc6a2571f7ace35b0f63bf6657850574851f457288555eab0e", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "984ffdd35a8b9587207b594e6a6391b5", 57848, "false", "TRUE", "C:/Users/sean.cassidy/", "Document", "Administrators", "FILE", "887050325252344565", "2021-09-16T22:53:34.592Z", "sean.cassidy@c42se.com", "sean.cassidy@c42se.com", "2020-03-23T20:49:51.288Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:01:54.338Z 804e3b095828 Skyformation - 5372332763298212826 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 dproc=file events dtz=default-tenant end=1631833314338 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:01:54.338Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:01:53.526Z ext_md5Checksum=88b43443da22c25cf6c00f8cd5c67b29 ext_sharedWith=[] ext_sha256Checksum=7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:49.223927Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025231786847898237_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:01:54.338Z\",\"insertionTimestamp\":\"2021-09-16T23:02:49.223927Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"88b43443da22c25cf6c00f8cd5c67b29\",\"sha256Checksum\":\"7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T23:01:53.526Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:01:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-87711222-9004-58f2-8d70-d87870bdc475", "observed_start_time": "2021-09-16T23:01:54Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8f6040be-aa37-4fc3-8cb4-58d4974ba70b", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:01:54.338Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:01:53.526Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "7fcba4bdc460e8401bf91e4742503e9e75f39e7b155a73d6646939ccfe73ce69", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "88b43443da22c25cf6c00f8cd5c67b29", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T23:01:54.338Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.284Z 804e3b095828 Skyformation - 1959883363626253346 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507284 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxCommModel.dll fsize=4250624 msg=Resource [Resource: file :: HxCommModel.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.284Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxCommModel.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.137Z ext_md5Checksum=1d0bcfa0671f607ba8e3ab53f893e8bb ext_sharedWith=[] ext_sha256Checksum=dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4250624 ext_insertionTimestamp=2021-09-16T22:51:15.337354Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_525\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.284Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337354Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxCommModel.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4250624,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1d0bcfa0671f607ba8e3ab53f893e8bb\",\"sha256Checksum\":\"dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.137Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-366d1237-2f8f-52da-b57a-6c5aeff7f553", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.284Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxCommModel.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.137Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "dc3de0ae1e8baf9b0959185efcfa4b06ea135933d58a134ae74f9a2cf6cbc5f3", "2021-09-16T22:52:32.763Z", 4250624, "code42-exfil-share-datatype", "1d0bcfa0671f607ba8e3ab53f893e8bb", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.284Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:00.340Z 804e3b095828 Skyformation - 101121762317961190 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 dproc=file events dtz=default-tenant end=1631832720340 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:00.340Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:59.527Z ext_md5Checksum=a5d9591d6f143c127c28abadbf112417 ext_sharedWith=[] ext_sha256Checksum=ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:59.169359Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025230796202144916_7\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:00.340Z\",\"insertionTimestamp\":\"2021-09-16T22:52:59.169359Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"a5d9591d6f143c127c28abadbf112417\",\"sha256Checksum\":\"ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:51:59.527Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b32701b6-d75d-5708-8872-225eb4b7fbd8", "observed_start_time": "2021-09-16T22:52:00Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:00.340Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:59.527Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "ff1ae1d10e332f28c329db685d82dc528a29658f9421bbf591ee1cff0fba9c04", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "a5d9591d6f143c127c28abadbf112417", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:52:00.340Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.108Z 804e3b095828 Skyformation - 1971640500657635587 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502108 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Google.Protobuf.dll fsize=401064 msg=Resource [Resource: file :: Google.Protobuf.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.108Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Google.Protobuf.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.060Z ext_md5Checksum=5e73f645a041a91618e33299cfe33851 ext_sharedWith=[] ext_sha256Checksum=fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=401064 ext_insertionTimestamp=2021-09-16T22:51:15.336633Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_426\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.108Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336633Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Google.Protobuf.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":401064,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e73f645a041a91618e33299cfe33851\",\"sha256Checksum\":\"fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.060Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-764e8852-01b4-5167-bee9-61f29e31602d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.108Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Google.Protobuf.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.060Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc0ad1346340114b322eb360afc1fb8aa3e518d12a35871aefa506576487a661", "2021-09-16T22:52:32.766Z", 401064, "code42-exfil-share-datatype", "5e73f645a041a91618e33299cfe33851", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.108Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:47:48.222Z 804e3b095828 Skyformation - 6520290350077976637 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 dproc=file events dtz=default-tenant end=1631832468222 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:47:48.222Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=sshd.pid ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T09:39:11.904Z ext_md5Checksum=4ae3b17c6481c84809152f331f7d783c ext_sharedWith=[] ext_sha256Checksum=c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6 ext_insertionTimestamp=2021-09-16T22:56:50.885010Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-03-17T09:49:37.832Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025231182897418531_178\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:47:48.222Z\",\"insertionTimestamp\":\"2021-09-16T22:56:50.885010Z\",\"fieldErrors\":[],\"filePath\":\"C:/\",\"fileName\":\"sshd.pid\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":6,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4ae3b17c6481c84809152f331f7d783c\",\"sha256Checksum\":\"c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750\",\"createTimestamp\":\"2021-03-17T09:49:37.832Z\",\"modifyTimestamp\":\"2021-09-16T09:39:11.904Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:47:48Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_6_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_6_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-5d48b52e-0e61-5614-b642-183dc0ac545e", "observed_start_time": "2021-09-16T22:47:48Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:47:48.222Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "sshd.pid", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T09:39:11.904Z", "application/octet-stream", "MODIFIED", "162.222.47.183", "darnell.waters", "c64fd3bb311a471b0bc31b38f7d076eaf3cec681b81d63d9c2b43c20337d5750", "2021-09-16T22:58:29.756Z", 6, "code42-exfil-share-datatype", "4ae3b17c6481c84809152f331f7d783c", 57848, "false", "TRUE", "C:/", "Document", "Administrators", "FILE", "902428473202283166", "2021-09-16T22:47:48.222Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-03-17T09:49:37.832Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.288Z 804e3b095828 Skyformation - 4705181188840973840 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=26112 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.987Z ext_md5Checksum=c0d4746e3cb9e48dfa98f5e7d7bd98a5 ext_sharedWith=[] ext_sha256Checksum=9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=26112 ext_insertionTimestamp=2021-09-16T22:51:15.335722Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.598Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_325\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":26112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c0d4746e3cb9e48dfa98f5e7d7bd98a5\",\"sha256Checksum\":\"9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c\",\"createTimestamp\":\"2021-09-09T09:44:28.598Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.987Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2574907d-cae0-57cc-b985-8815cca5ac1d", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.987Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9b3ebaa0c1154f4304ec40ea52648389ac351de81c30d2c1af4fe217c852c28c", "2021-09-16T22:52:32.761Z", 26112, "code42-exfil-share-datatype", "c0d4746e3cb9e48dfa98f5e7d7bd98a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/qps-plocm/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.598Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.146Z 804e3b095828 Skyformation - 3986050769569214377 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500146 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationFramework.resources.dll fsize=208784 msg=Resource [Resource: file :: PresentationFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.146Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.676Z ext_md5Checksum=beeb465b9ab84dbb8f78f866924d49fe ext_sharedWith=[] ext_sha256Checksum=8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=208784 ext_insertionTimestamp=2021-09-16T22:51:15.335417Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.315Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_290\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.146Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335417Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"PresentationFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":208784,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"beeb465b9ab84dbb8f78f866924d49fe\",\"sha256Checksum\":\"8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154\",\"createTimestamp\":\"2021-08-18T09:55:42.315Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.676Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-292bec71-c562-577a-a94f-ab54370603eb", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.146Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.676Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8bf9e1c1574ad3ded62435da4a54d8f0833803179fc7b28505d09accc4219154", "2021-09-16T22:52:32.766Z", 208784, "code42-exfil-share-datatype", "beeb465b9ab84dbb8f78f866924d49fe", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.146Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.315Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.163Z 804e3b095828 Skyformation - 1555498613075011916 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500163 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17272 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.163Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.707Z ext_md5Checksum=b5cb4e7532586d8ec2a144fe895ef55d ext_sharedWith=[] ext_sha256Checksum=b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.335444Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.330Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_293\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.163Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335444Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b5cb4e7532586d8ec2a144fe895ef55d\",\"sha256Checksum\":\"b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e\",\"createTimestamp\":\"2021-08-18T09:55:42.330Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.707Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1b62b73d-4074-5e2d-aed4-f833528c33c6", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.163Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.707Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b13850a3b16c02cb90480a4dd884960e9b60c7b46c11734a56339596fbbe3c8e", "2021-09-16T22:52:32.765Z", 17272, "code42-exfil-share-datatype", "b5cb4e7532586d8ec2a144fe895ef55d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pl/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.163Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.330Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.234Z 804e3b095828 Skyformation - 3773190887969410761 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520234 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Qt5Gui.dll fsize=6671232 msg=Resource [Resource: file :: Qt5Gui.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.234Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Qt5Gui.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:15.450Z ext_md5Checksum=f53d5cd7837e933cf4cc8c07a1a88350 ext_sharedWith=[] ext_sha256Checksum=9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6671232 ext_insertionTimestamp=2021-09-16T22:51:22.314470Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:15.375Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_23\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314470Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Qt5Gui.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":6671232,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f53d5cd7837e933cf4cc8c07a1a88350\",\"sha256Checksum\":\"9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0\",\"createTimestamp\":\"2021-09-08T09:32:15.375Z\",\"modifyTimestamp\":\"2021-09-08T09:32:15.450Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6f1119de-1ca4-5c02-8a48-8d233b6c7f51", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Qt5Gui.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:15.450Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9d39ef19798ddf117d5b76dec6c29746cf43907224fc2b92517b4f9e79e9d5a0", "2021-09-16T22:52:32.762Z", 6671232, "code42-exfil-share-datatype", "f53d5cd7837e933cf4cc8c07a1a88350", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.234Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:15.375Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.060Z 804e3b095828 Skyformation - 2848514596090498099 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500060 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.060Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.943Z ext_md5Checksum=1ac89288b8009c9a0fb138fb9d67b150 ext_sharedWith=[] ext_sha256Checksum=eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.335277Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.586Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_274\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.060Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335277Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1ac89288b8009c9a0fb138fb9d67b150\",\"sha256Checksum\":\"eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780\",\"createTimestamp\":\"2021-09-09T09:44:28.586Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.943Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9918c6d9-765e-5d8c-b914-bf67bca5fb25", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.060Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.943Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb4268264da590fc3d2e4fed77d51b2168dd0964d46ae897fb6ccf0f8578f780", "2021-09-16T22:52:32.763Z", 30720, "code42-exfil-share-datatype", "1ac89288b8009c9a0fb138fb9d67b150", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/mr-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.060Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.586Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.219Z 804e3b095828 Skyformation - 4787658200593955425 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502219 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Newtonsoft.Json.dll fsize=653824 msg=Resource [Resource: file :: Newtonsoft.Json.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.219Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Newtonsoft.Json.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.588Z ext_md5Checksum=f33cbe589b769956284868104686cc2d ext_sharedWith=[] ext_sha256Checksum=973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=653824 ext_insertionTimestamp=2021-09-16T22:51:15.336922Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.618Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_459\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.219Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336922Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Newtonsoft.Json.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":653824,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f33cbe589b769956284868104686cc2d\",\"sha256Checksum\":\"973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278\",\"createTimestamp\":\"2020-05-21T13:18:58.618Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.588Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-aea8b0e5-235a-5595-8967-8fed89dcca7f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.219Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Newtonsoft.Json.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.588Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278", "2021-09-16T22:52:32.761Z", 653824, "code42-exfil-share-datatype", "f33cbe589b769956284868104686cc2d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.219Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.618Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.160Z 804e3b095828 Skyformation - 5762171414636357409 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501160 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17272 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.160Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=077bb8ca6a783006aacb63d08317c339 ext_sharedWith=[] ext_sha256Checksum=217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17272 ext_insertionTimestamp=2021-09-16T22:51:15.336148Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_370\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.160Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336148Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17272,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"077bb8ca6a783006aacb63d08317c339\",\"sha256Checksum\":\"217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61471_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61471_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0357656e-2c0b-5454-97fc-aaff38ba6255", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.160Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "217153aeb7ef3f58cbb3ee5dd6bb3a3ad4e498bdaee31b022be6693eec4d7c92", "2021-09-16T22:52:32.764Z", 17272, "code42-exfil-share-datatype", "077bb8ca6a783006aacb63d08317c339", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.160Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:32.032Z 804e3b095828 Skyformation - 2046146408369861582 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832932032 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=4447782c2756c6c447299d79a0e92f6950df5def fsize=3105208 msg=Resource [Resource: file :: 4447782c2756c6c447299d79a0e92f6950df5def] was deleted by [michelle.goldberg@c42se.com] requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Windows/SoftwareDistribution/Download/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:55:32.032Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=4447782c2756c6c447299d79a0e92f6950df5def ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T10:01:33.097Z ext_md5Checksum=3a09012f4a87abb2366ffbf8ca4b70ec ext_sharedWith=[] ext_sha256Checksum=0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=3105208 ext_insertionTimestamp=2021-09-16T22:59:26.353746Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-15T10:01:32.918Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025231451089499086_34\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:55:32.032Z\",\"insertionTimestamp\":\"2021-09-16T22:59:26.353746Z\",\"fieldErrors\":[],\"filePath\":\"C:/Windows/SoftwareDistribution/Download/\",\"fileName\":\"4447782c2756c6c447299d79a0e92f6950df5def\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":3105208,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3a09012f4a87abb2366ffbf8ca4b70ec\",\"sha256Checksum\":\"0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862\",\"createTimestamp\":\"2021-09-15T10:01:32.918Z\",\"modifyTimestamp\":\"2021-09-15T10:01:33.097Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:32Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_11_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_11_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6a55a80a-3597-5ff8-8362-b51c90225a52", "observed_start_time": "2021-09-16T22:55:32Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:32.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "4447782c2756c6c447299d79a0e92f6950df5def", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-15T10:01:33.097Z", "application/octet-stream", "DELETED", "162.222.47.183", "michelle.goldberg", "0ba8177c4b7d186b42ffd22832f8795701037b843856ce7bd74acb9666fd7862", "2021-09-16T23:02:30.312Z", 3105208, "code42-exfil-share-datatype", "3a09012f4a87abb2366ffbf8ca4b70ec", 57848, "false", "TRUE", "C:/Windows/SoftwareDistribution/Download/", "Executable", "SYSTEM", "FILE", "922302705889597824", "2021-09-16T22:55:32.032Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2021-09-15T10:01:32.918Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.192Z 804e3b095828 Skyformation - 3169972520407106732 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520192 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.Calc.dll fsize=1333608 msg=Resource [Resource: file :: Microsoft.SharePoint.Calc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.192Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.Calc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.967Z ext_md5Checksum=29b2b242a9fb8c094425d566c50f0958 ext_sharedWith=[] ext_sha256Checksum=a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1333608 ext_insertionTimestamp=2021-09-16T22:51:22.314319Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.949Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_8\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.192Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314319Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.Calc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1333608,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"29b2b242a9fb8c094425d566c50f0958\",\"sha256Checksum\":\"a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64\",\"createTimestamp\":\"2021-09-08T09:32:13.949Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.967Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d06e6d6c-2bd7-559d-88b4-d7e4d1a89e9a", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.192Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.Calc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.967Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a02b008f1d4af87f35b9df7e5c74299c3c8d2b25a21866f6d44dfaae10eccb64", "2021-09-16T22:52:32.760Z", 1333608, "code42-exfil-share-datatype", "29b2b242a9fb8c094425d566c50f0958", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.192Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.949Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.086Z 804e3b095828 Skyformation - 1940946668403899006 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=mscorrc.dll fsize=13176 msg=Resource [Resource: file :: mscorrc.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=mscorrc.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.613Z ext_md5Checksum=fc24926593d08479a7ed2bdaff458d20 ext_sharedWith=[] ext_sha256Checksum=e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=13176 ext_insertionTimestamp=2021-09-16T22:51:15.335338Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.252Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_281\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335338Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/\",\"fileName\":\"mscorrc.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":13176,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"fc24926593d08479a7ed2bdaff458d20\",\"sha256Checksum\":\"e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532\",\"createTimestamp\":\"2021-08-18T09:55:42.252Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.613Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-986981d1-b0c1-5463-b0d6-0f4ac3764bf2", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "mscorrc.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.613Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "e7c97805391145630b8deb10afcc3eafd7c2f4c4aedcc700bd77aba71c4b3532", "2021-09-16T22:52:32.759Z", 13176, "code42-exfil-share-datatype", "fc24926593d08479a7ed2bdaff458d20", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.252Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.166Z 804e3b095828 Skyformation - 8716157904630123659 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502166 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Caching.Memory.dll fsize=32120 msg=Resource [Resource: file :: Microsoft.Extensions.Caching.Memory.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.166Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Caching.Memory.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.247Z ext_md5Checksum=9e7c8d18c1128488df0dea96a6b5be3c ext_sharedWith=[] ext_sha256Checksum=23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=32120 ext_insertionTimestamp=2021-09-16T22:51:15.336765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_441\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.166Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Caching.Memory.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":32120,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"9e7c8d18c1128488df0dea96a6b5be3c\",\"sha256Checksum\":\"23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.247Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32cf786a-b54f-5f06-8b5f-120a57ee31d5", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.166Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Caching.Memory.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.247Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "23ed239290be989d748d62f3656cab90ade5a1f54c631c621364b2dbd1a1fa4f", "2021-09-16T22:52:32.764Z", 32120, "code42-exfil-share-datatype", "9e7c8d18c1128488df0dea96a6b5be3c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.166Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.086Z 804e3b095828 Skyformation - 3103148230250787022 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502086 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=AutoMapper.dll fsize=286720 msg=Resource [Resource: file :: AutoMapper.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.086Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=AutoMapper.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-06-17T09:48:17.915Z ext_md5Checksum=ff3c3d84a000d57ef7d443f594d407ec ext_sharedWith=[] ext_sha256Checksum=4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=286720 ext_insertionTimestamp=2021-09-16T22:51:15.336563Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-06-17T09:48:12.583Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.086Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336563Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"AutoMapper.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":286720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff3c3d84a000d57ef7d443f594d407ec\",\"sha256Checksum\":\"4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48\",\"createTimestamp\":\"2021-06-17T09:48:12.583Z\",\"modifyTimestamp\":\"2021-06-17T09:48:17.915Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4092231e-8015-5e72-93c4-007b94515cd6", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.086Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "AutoMapper.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-06-17T09:48:17.915Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4da9c752eadeec7743cf15f2a7bb98cf1eced9cae8b0c8f047c18ae7aa9a6b48", "2021-09-16T22:52:32.759Z", 286720, "code42-exfil-share-datatype", "ff3c3d84a000d57ef7d443f594d407ec", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.086Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-06-17T09:48:12.583Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:28.123Z 804e3b095828 Skyformation - 2307054547127864331 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832508123 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=igxim.dll fsize=4910872 msg=Resource [Resource: file :: igxim.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:28.123Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=igxim.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.611Z ext_md5Checksum=d19ae43d04b6c5c4b5f3fcc081b9e602 ext_sharedWith=[] ext_sha256Checksum=6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=4910872 ext_insertionTimestamp=2021-09-16T22:51:15.337678Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_569\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:28.123Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"igxim.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":4910872,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d19ae43d04b6c5c4b5f3fcc081b9e602\",\"sha256Checksum\":\"6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:28Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb0321a2-a87b-56fe-b5b5-20b9c02a89b4", "observed_start_time": "2021-09-16T22:48:28Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:28.123Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "igxim.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6a4beb632a34bcebb7e8088b2e15c56787e395091ad83839b88274b89ae6b701", "2021-09-16T22:52:32.759Z", 4910872, "code42-exfil-share-datatype", "d19ae43d04b6c5c4b5f3fcc081b9e602", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:28.123Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:02.481Z 804e3b095828 Skyformation - 9167258420999647720 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 dproc=file events dtz=default-tenant end=1631832902481 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:55:02.481Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.206Z ext_md5Checksum=3df126f4a090da12f2c29b6e5c1c29da ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661687 ext_insertionTimestamp=2021-09-16T22:55:54.847061Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231086692202379_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:02.481Z\",\"insertionTimestamp\":\"2021-09-16T22:55:54.847061Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661687,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"3df126f4a090da12f2c29b6e5c1c29da\",\"sha256Checksum\":\"3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.206Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-32ba2af3-2036-5524-8bbc-ace366ddd95d", "observed_start_time": "2021-09-16T22:55:02Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:02.481Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:55:00.206Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "3d19013f2e79a57eaa7be0b713d443888e613493b24431998d45586ff3a03d0c", "2021-09-16T22:58:29.755Z", 6661687, "code42-exfil-share-datatype", "3df126f4a090da12f2c29b6e5c1c29da", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:55:02.481Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.388Z 804e3b095828 Skyformation - 75100825977135569 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520388 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-datetime-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-datetime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.388Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-datetime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.155Z ext_md5Checksum=98cfeaa96192d5dccc4a1852f6754fd5 ext_sharedWith=[] ext_sha256Checksum=3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314702Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.142Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_70\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.388Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314702Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-datetime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"98cfeaa96192d5dccc4a1852f6754fd5\",\"sha256Checksum\":\"3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027\",\"createTimestamp\":\"2021-09-08T09:32:11.142Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.155Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a5f54c34-5c36-5f79-9a0a-cd3443ceaf39", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-datetime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.155Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "3e6c74ace8225d4bd5c248ede6017af011bb19b97a23839f1aa25fa312107027", "2021-09-16T22:52:32.762Z", 11648, "code42-exfil-share-datatype", "98cfeaa96192d5dccc4a1852f6754fd5", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.388Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.142Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.133Z 804e3b095828 Skyformation - 5778663738296596062 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502133 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.Core.dll fsize=144760 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.133Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.823Z ext_md5Checksum=e1edab455db5fec76120731d3c11cb67 ext_sharedWith=[] ext_sha256Checksum=b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=144760 ext_insertionTimestamp=2021-09-16T22:51:15.336694Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_433\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.133Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336694Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":144760,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1edab455db5fec76120731d3c11cb67\",\"sha256Checksum\":\"b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.823Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f3d93fcd-248c-5cf5-b1e3-7ea6efaeb96e", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.133Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.823Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b9c4a5a421a6f12c2a0ecef00125c1d9b82fcdaedb88cd177908cb705237426b", "2021-09-16T22:52:32.761Z", 144760, "code42-exfil-share-datatype", "e1edab455db5fec76120731d3c11cb67", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.133Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:01.316Z 804e3b095828 Skyformation - 5313767959944003510 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 dproc=file events dtz=default-tenant end=1631832901316 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:01.316Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:00.503Z ext_md5Checksum=1ed9751c3a3a31efb6d268320a46952a ext_sharedWith=[] ext_sha256Checksum=8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:00.284722Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231102198319710_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:01.316Z\",\"insertionTimestamp\":\"2021-09-16T22:56:00.284722Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1ed9751c3a3a31efb6d268320a46952a\",\"sha256Checksum\":\"8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T22:55:00.503Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_19_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_19_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3ebf614-7a41-54e5-b9ad-6e8b032a6820", "observed_start_time": "2021-09-16T22:55:01Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:01.316Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:00.503Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "8b134b6614b8ebb66bd27bd87ba7357feb7abfd3b0e2547482b3572389fb1dab", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "1ed9751c3a3a31efb6d268320a46952a", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T22:55:01.316Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.130Z 804e3b095828 Skyformation - 1463680714243760861 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501130 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Controls.Ribbon.resources.dll fsize=17296 msg=Resource [Resource: file :: System.Windows.Controls.Ribbon.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.130Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Controls.Ribbon.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.755Z ext_md5Checksum=d7b70d7ae944e13019a7796eb46e966c ext_sharedWith=[] ext_sha256Checksum=c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.336068Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_361\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.130Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336068Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Controls.Ribbon.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d7b70d7ae944e13019a7796eb46e966c\",\"sha256Checksum\":\"c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.755Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-2dfdd205-d548-557a-a188-7105930ba081", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.130Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Controls.Ribbon.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.755Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c96303d5543ff306cba304423a50ad22cd52a52843096158fdc092e6fc84e800", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "d7b70d7ae944e13019a7796eb46e966c", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.130Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:52:54.712Z 804e3b095828 Skyformation - 1972555328724139685 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 dproc=file events dtz=default-tenant end=1631832774712 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=michelle.goldberg@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:29f6:1fed:cdd5:efae%eth4 ext_filePath=C:/Users/michelle.goldberg/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:52:54.712Z ext_fileClassifications=[] ext_userUid=922302705889597824 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944597031926579042 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=michelle.goldberg ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:52:53.806Z ext_md5Checksum=352c6e242381d6d2fd656d2ffe3f05a9 ext_sharedWith=[] ext_sha256Checksum=97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=michelle.goldberg@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:54:02.107014Z ext_domainName=MICHELLEG-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.60 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:53:22.049Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=MICHELLEG-OFFIC cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944597031926579042_1025230905645429710_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:52:54.712Z\",\"insertionTimestamp\":\"2021-09-16T22:54:02.107014Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/michelle.goldberg/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"352c6e242381d6d2fd656d2ffe3f05a9\",\"sha256Checksum\":\"97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d\",\"createTimestamp\":\"2020-08-14T14:53:22.049Z\",\"modifyTimestamp\":\"2021-09-16T22:52:53.806Z\",\"deviceUserName\":\"michelle.goldberg@c42se.com\",\"osHostName\":\"MICHELLEG-OFFIC\",\"domainName\":\"MICHELLEG-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:29f6:1fed:cdd5:efae%eth4\",\"172.20.65.60\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944597031926579042\",\"userUid\":\"922302705889597824\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"michelle.goldberg\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:52:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7c4b7cfb-ff1f-59b1-93a0-91313fa71439", "observed_start_time": "2021-09-16T22:52:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:52:54.712Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "MICHELLEG-OFFIC", "MICHELLEG-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:52:53.806Z", "text/plain", "MODIFIED", "162.222.47.183", "michelle.goldberg", "97c20a8b5dda06cdaac1605c7db6e3401fda77377fcf8e9b81f1f1c19286b32d", "2021-09-16T22:54:30.604Z", 21, "code42-exfil-share-datatype", "352c6e242381d6d2fd656d2ffe3f05a9", 57848, "false", "TRUE", "C:/Users/michelle.goldberg/", "Document", "Administrators", "FILE", "922302705889597824", "2021-09-16T22:52:54.712Z", "michelle.goldberg@c42se.com", "michelle.goldberg@c42se.com", "2020-08-14T14:53:22.049Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.328Z 804e3b095828 Skyformation - 802229965662222268 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498328 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneAppProxy.Core.resources.dll fsize=30720 msg=Resource [Resource: file :: YourPhoneAppProxy.Core.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.328Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneAppProxy.Core.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:33.664Z ext_md5Checksum=c329416237b094613fc5f5a64b2ecbce ext_sharedWith=[] ext_sha256Checksum=0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=30720 ext_insertionTimestamp=2021-09-16T22:51:15.334616Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.564Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe64 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_201\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.328Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334616Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/\",\"fileName\":\"YourPhoneAppProxy.Core.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":30720,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c329416237b094613fc5f5a64b2ecbce\",\"sha256Checksum\":\"0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75\",\"createTimestamp\":\"2021-09-09T09:44:28.564Z\",\"modifyTimestamp\":\"2021-09-09T09:44:33.664Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe64\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-53045a88-f6cf-5c78-9b45-7919c983dd54", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.328Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneAppProxy.Core.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:33.664Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0defc6df06a3baa70e2a58a1cacb921ec232cf3bcb8dec624e446ee258698f75", "2021-09-16T22:52:32.765Z", 30720, "code42-exfil-share-datatype", "c329416237b094613fc5f5a64b2ecbce", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/gu-IN/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.328Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.564Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.178Z 804e3b095828 Skyformation - 8816902891285415513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=YourPhoneServer.exe fsize=47104 msg=Resource [Resource: file :: YourPhoneServer.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=YourPhoneServer.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.484Z ext_md5Checksum=640c3b31c496531dacc0a8fb830fd457 ext_sharedWith=[] ext_sha256Checksum=f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47104 ext_insertionTimestamp=2021-09-16T22:51:15.337186Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.653Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_492\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337186Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"YourPhoneServer.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47104,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"640c3b31c496531dacc0a8fb830fd457\",\"sha256Checksum\":\"f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7\",\"createTimestamp\":\"2021-09-09T09:44:28.653Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.484Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-bb1cd9ba-bcbf-5e7c-bff6-a1f16c9d579f", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "YourPhoneServer.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.484Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "f8730b34ce048376e45f849494eacb7fd39233fe18f18c6f322cd8ea85c420f7", "2021-09-16T22:52:32.765Z", 47104, "code42-exfil-share-datatype", "640c3b31c496531dacc0a8fb830fd457", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.653Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:50:54.234Z 804e3b095828 Skyformation - 8299296745530260548 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 dproc=file events dtz=default-tenant end=1631832654234 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=russell.martin@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.162 ext_filePath=C:/Users/russell.martin/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:50:54.234Z ext_fileClassifications=[] ext_userUid=966201050854648997 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423453587837882 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=russell.martin ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:50:53.422Z ext_md5Checksum=f9f18977a180437631eb8e969d503075 ext_sharedWith=[] ext_sha256Checksum=cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=russell.martin@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:51:57.205056Z ext_domainName=RUSSELLM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:49f7:c945:904:10d5%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:27:36.760Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=RUSSELLM-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423453587837882_1025230693241850493_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:50:54.234Z\",\"insertionTimestamp\":\"2021-09-16T22:51:57.205056Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/russell.martin/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"f9f18977a180437631eb8e969d503075\",\"sha256Checksum\":\"cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022\",\"createTimestamp\":\"2020-08-21T01:27:36.760Z\",\"modifyTimestamp\":\"2021-09-16T22:50:53.422Z\",\"deviceUserName\":\"russell.martin@example.edu\",\"osHostName\":\"RUSSELLM-OFFICI\",\"domainName\":\"RUSSELLM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.162\",\"fe80:0:0:0:49f7:c945:904:10d5%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423453587837882\",\"userUid\":\"966201050854648997\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"russell.martin\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:50:54Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4162539b-fbca-51cf-b6e4-0a6b26d39962", "observed_start_time": "2021-09-16T22:50:54Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:50:54.234Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "RUSSELLM-OFFICI", "RUSSELLM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:50:53.422Z", "text/plain", "MODIFIED", "162.222.47.183", "russell.martin", "cffd1095b8685bbe11d310db6320788010e2cbf8f44b2ed8644d7529c877a022", "2021-09-16T22:52:32.764Z", 21, "code42-exfil-share-datatype", "f9f18977a180437631eb8e969d503075", 57848, "false", "TRUE", "C:/Users/russell.martin/", "Document", "Administrators", "FILE", "966201050854648997", "2021-09-16T22:50:54.234Z", "russell.martin@example.edu", "russell.martin@example.edu", "2020-08-21T01:27:36.760Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.216Z 804e3b095828 Skyformation - 6058972324110053012 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503216 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapi.lib fsize=1570 msg=Resource [Resource: file :: libnanoapi.lib] was deleted by [darnell.waters@c42se.com] proto=lib requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Uncategorized ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Archive ext_eventTimestamp=2021-09-16T22:48:23.216Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapi.lib ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/octet-stream ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:30.262Z ext_md5Checksum=bb41b302cf1325c4f459616da8e605a2 ext_sharedWith=[] ext_sha256Checksum=3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Archive ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1570 ext_insertionTimestamp=2021-09-16T22:51:15.337256Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.468Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-archive ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_501\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.216Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337256Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"libnanoapi.lib\",\"fileType\":\"FILE\",\"fileCategory\":\"Archive\",\"fileCategoryByBytes\":\"Archive\",\"fileCategoryByExtension\":\"Uncategorized\",\"fileSize\":1570,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"bb41b302cf1325c4f459616da8e605a2\",\"sha256Checksum\":\"3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df\",\"createTimestamp\":\"2021-09-09T09:44:28.468Z\",\"modifyTimestamp\":\"2021-09-09T09:44:30.262Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-archive\",\"mimeTypeByExtension\":\"application/octet-stream\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-f011d516-96c8-5ad3-a4b0-533801bdca65", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.216Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Uncategorized", "Endpoint", "libnanoapi.lib", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:30.262Z", "application/octet-stream", "DELETED", "162.222.47.183", "darnell.waters", "3462d54a16b8c9a58a863b6d83567eb2d4ab88750ba0a193e635943b3fcdd9df", "2021-09-16T22:52:32.763Z", 1570, "code42-exfil-share-datatype", "bb41b302cf1325c4f459616da8e605a2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/", "Archive", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.216Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.468Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:30.321Z 804e3b095828 Skyformation - 5172779214309044716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832510321 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=inktotextengineimm.dll fsize=346480 msg=Resource [Resource: file :: inktotextengineimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:30.321Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=inktotextengineimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:52.674Z ext_md5Checksum=3579a936952da7532c4358700bed43a3 ext_sharedWith=[] ext_sha256Checksum=f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=346480 ext_insertionTimestamp=2021-09-16T22:51:15.337686Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_732\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:30.321Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337686Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"inktotextengineimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":346480,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3579a936952da7532c4358700bed43a3\",\"sha256Checksum\":\"f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:52.674Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:30Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5817d5a-4a72-58ec-81bc-5a28f291f095", "observed_start_time": "2021-09-16T22:48:30Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:30.321Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "inktotextengineimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:52.674Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f7560916b1fbaafe6a90a15d6f87fa8255d2449365141b33dae3445fee6bdc82", "2021-09-16T22:52:32.762Z", 346480, "code42-exfil-share-datatype", "3579a936952da7532c4358700bed43a3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:30.321Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.295Z 804e3b095828 Skyformation - 3864355406809506650 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499295 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15224 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.295Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.316Z ext_md5Checksum=5a9f0b52ac62762bd03d34c0e410acb3 ext_sharedWith=[] ext_sha256Checksum=b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15224 ext_insertionTimestamp=2021-09-16T22:51:15.335136Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_258\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.295Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335136Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5a9f0b52ac62762bd03d34c0e410acb3\",\"sha256Checksum\":\"b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.316Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a05b4e8f-6202-5499-ba07-3718cf72c197", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.295Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.316Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "b06098d391f2dd2b2f9db6559247bfda66e9b0d12a7082c709e8426a1b9c42b0", "2021-09-16T22:52:32.760Z", 15224, "code42-exfil-share-datatype", "5a9f0b52ac62762bd03d34c0e410acb3", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.295Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.241Z 804e3b095828 Skyformation - 7925912627090119436 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500241 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15240 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.241Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:49.863Z ext_md5Checksum=d1b7ec7c3a95ec1e84117bfef59f1ab6 ext_sharedWith=[] ext_sha256Checksum=201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15240 ext_insertionTimestamp=2021-09-16T22:51:15.335618Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.361Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_313\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.241Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335618Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15240,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d1b7ec7c3a95ec1e84117bfef59f1ab6\",\"sha256Checksum\":\"201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d\",\"createTimestamp\":\"2021-08-18T09:55:42.361Z\",\"modifyTimestamp\":\"2021-08-18T09:55:49.863Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0de864d-2900-5255-812e-84ad1269fe51", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:49.863Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "201bdf47cc8a9e7b444f132d631b42b3d8dd3918cae171657782ed5b7f05b36d", "2021-09-16T22:52:32.765Z", 15240, "code42-exfil-share-datatype", "d1b7ec7c3a95ec1e84117bfef59f1ab6", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/pt-BR/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.241Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.361Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.330Z 804e3b095828 Skyformation - 6726481126123874816 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500330 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Input.Manipulations.resources.dll fsize=15736 msg=Resource [Resource: file :: System.Windows.Input.Manipulations.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.330Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Input.Manipulations.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.144Z ext_md5Checksum=1b1e7bc04757e673ca956218abdb7959 ext_sharedWith=[] ext_sha256Checksum=a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=15736 ext_insertionTimestamp=2021-09-16T22:51:15.335818Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.393Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_336\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.330Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335818Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"System.Windows.Input.Manipulations.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":15736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"1b1e7bc04757e673ca956218abdb7959\",\"sha256Checksum\":\"a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb\",\"createTimestamp\":\"2021-08-18T09:55:42.393Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.144Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72a3a626-c665-500e-8f8e-348475fffa7a", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.330Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Input.Manipulations.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.144Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "a3cd45fe06fd6f4c6d40d37fdb7ac967465782d45ceef75c8310bd4beb1efaeb", "2021-09-16T22:52:32.766Z", 15736, "code42-exfil-share-datatype", "1b1e7bc04757e673ca956218abdb7959", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.330Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.393Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.233Z 804e3b095828 Skyformation - 7900726948962949993 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501233 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ReachFramework.resources.dll fsize=35728 msg=Resource [Resource: file :: ReachFramework.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.233Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ReachFramework.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.224Z ext_md5Checksum=e1b4ed26020dd106aaf2e1a6265dce9d ext_sharedWith=[] ext_sha256Checksum=fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=35728 ext_insertionTimestamp=2021-09-16T22:51:15.336279Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.627Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_385\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.233Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336279Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"ReachFramework.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":35728,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"e1b4ed26020dd106aaf2e1a6265dce9d\",\"sha256Checksum\":\"fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f\",\"createTimestamp\":\"2021-08-18T09:55:42.627Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.224Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b94cad0a-dbae-50b0-8247-6f277b16ef62", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.233Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ReachFramework.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.224Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "fc558243b427e0545130c0af7f36676694f745fb7480c5af91ea52601dc4f11f", "2021-09-16T22:52:32.760Z", 35728, "code42-exfil-share-datatype", "e1b4ed26020dd106aaf2e1a6265dce9d", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.233Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.627Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:46.178Z 804e3b095828 Skyformation - 5549850081874991791 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832526178 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=qtquickextrasplugin.dll fsize=80256 msg=Resource [Resource: file :: qtquickextrasplugin.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:46.178Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=qtquickextrasplugin.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:21.223Z ext_md5Checksum=68118cdf04def6c50804a705773bbd9b ext_sharedWith=[] ext_sha256Checksum=eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=80256 ext_insertionTimestamp=2021-09-16T22:51:22.315412Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:21.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_394\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:46.178Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315412Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/\",\"fileName\":\"qtquickextrasplugin.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":80256,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"68118cdf04def6c50804a705773bbd9b\",\"sha256Checksum\":\"eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8\",\"createTimestamp\":\"2021-09-08T09:32:21.221Z\",\"modifyTimestamp\":\"2021-09-08T09:32:21.223Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:46Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-4a0c230f-9717-5e9f-a713-a19dc76fff57", "observed_start_time": "2021-09-16T22:48:46Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:46.178Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "qtquickextrasplugin.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:21.223Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "eb178f4471c0959d1869f9a3f8c5ad6c7431f42a4e7c820a5544e01adb5a75a8", "2021-09-16T22:52:32.765Z", 80256, "code42-exfil-share-datatype", "68118cdf04def6c50804a705773bbd9b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/qml/QtQuick/Extras/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:46.178Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:21.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.278Z 804e3b095828 Skyformation - 620940066362011056 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501278 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationClient.resources.dll fsize=18320 msg=Resource [Resource: file :: UIAutomationClient.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.278Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationClient.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:54.271Z ext_md5Checksum=5e55e4041d9e6f6bf0d3738a25255913 ext_sharedWith=[] ext_sha256Checksum=2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18320 ext_insertionTimestamp=2021-09-16T22:51:15.336341Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.643Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_392\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.278Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336341Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/\",\"fileName\":\"UIAutomationClient.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18320,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"5e55e4041d9e6f6bf0d3738a25255913\",\"sha256Checksum\":\"2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f\",\"createTimestamp\":\"2021-08-18T09:55:42.643Z\",\"modifyTimestamp\":\"2021-08-18T09:55:54.271Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-05bbd72b-3d43-546c-9d35-945d8f707e57", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.278Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationClient.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:54.271Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2a3d463f18879252abce271a05ffe04a9bcc15a4c73c794f1f74571b5570440f", "2021-09-16T22:52:32.762Z", 18320, "code42-exfil-share-datatype", "5e55e4041d9e6f6bf0d3738a25255913", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/zh-Hans/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.278Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.643Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:39.345Z 804e3b095828 Skyformation - 1958477291212270716 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832519345 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=FileSync.Resources.dll fsize=2382208 msg=Resource [Resource: file :: FileSync.Resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:39.345Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=FileSync.Resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:12.146Z ext_md5Checksum=3c69d0029f27ff52a1b4d3f70fef0d2b ext_sharedWith=[] ext_sha256Checksum=db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=2382208 ext_insertionTimestamp=2021-09-16T22:51:15.337890Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:12.114Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_985\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:39.345Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337890Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"FileSync.Resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":2382208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"3c69d0029f27ff52a1b4d3f70fef0d2b\",\"sha256Checksum\":\"db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f\",\"createTimestamp\":\"2021-09-08T09:32:12.114Z\",\"modifyTimestamp\":\"2021-09-08T09:32:12.146Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:39Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-948e9f79-dc63-5056-aea8-c68e06874928", "observed_start_time": "2021-09-16T22:48:39Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:39.345Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "FileSync.Resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:12.146Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "db5cc7a5d83b489e94175566d85561f17cf23c45376a9c554bf517a3da11772f", "2021-09-16T22:52:32.760Z", 2382208, "code42-exfil-share-datatype", "3c69d0029f27ff52a1b4d3f70fef0d2b", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:39.345Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:12.114Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.322Z 804e3b095828 Skyformation - 7733542298210638890 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499322 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=WindowsFormsIntegration.resources.dll fsize=14736 msg=Resource [Resource: file :: WindowsFormsIntegration.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.322Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=WindowsFormsIntegration.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.379Z ext_md5Checksum=6e8097b4e0d86ed2d1fc1f6f1e3d3ed4 ext_sharedWith=[] ext_sha256Checksum=f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14736 ext_insertionTimestamp=2021-09-16T22:51:15.335199Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.221Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_265\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.322Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335199Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/\",\"fileName\":\"WindowsFormsIntegration.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14736,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"6e8097b4e0d86ed2d1fc1f6f1e3d3ed4\",\"sha256Checksum\":\"f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281\",\"createTimestamp\":\"2021-08-18T09:55:42.221Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.379Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591003e3-d294-5b92-b79e-0b8f876ef71a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.322Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "WindowsFormsIntegration.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.379Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f37955650fef1edf9af8682ebc8ed36a85731d66e6fde50315a6e65a15b10281", "2021-09-16T22:52:32.766Z", 14736, "code42-exfil-share-datatype", "6e8097b4e0d86ed2d1fc1f6f1e3d3ed4", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ko/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.322Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.221Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.409Z 804e3b095828 Skyformation - 3292049587095014892 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520409 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-interlocked-l1-1-0.dll fsize=11640 msg=Resource [Resource: file :: api-ms-win-core-interlocked-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.409Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-interlocked-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.395Z ext_md5Checksum=72413f1254d09348dab76ee4e5e2e300 ext_sharedWith=[] ext_sha256Checksum=4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11640 ext_insertionTimestamp=2021-09-16T22:51:22.314795Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.394Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_78\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.409Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314795Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-interlocked-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11640,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"72413f1254d09348dab76ee4e5e2e300\",\"sha256Checksum\":\"4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9\",\"createTimestamp\":\"2021-09-08T09:32:11.394Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.395Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-9d71ceb9-5bd1-5f54-9ab2-e4c2b17d36ec", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.409Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-interlocked-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.395Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "4b26bdca15c8f1d2bb53a7c45dfb89760cfca291ed2f5854ea968fec8ced0cf9", "2021-09-16T22:52:32.767Z", 11640, "code42-exfil-share-datatype", "72413f1254d09348dab76ee4e5e2e300", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.409Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.394Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.258Z 804e3b095828 Skyformation - 1818903256850803241 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502258 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.ComponentModel.Annotations.dll fsize=43152 msg=Resource [Resource: file :: System.ComponentModel.Annotations.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.258Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.ComponentModel.Annotations.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.611Z ext_md5Checksum=7d3d14b0417a68ccdd9c51972ff74863 ext_sharedWith=[] ext_sha256Checksum=04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=43152 ext_insertionTimestamp=2021-09-16T22:51:15.336992Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_467\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.258Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336992Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.ComponentModel.Annotations.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":43152,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"7d3d14b0417a68ccdd9c51972ff74863\",\"sha256Checksum\":\"04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.611Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61473_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61473_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d53d7240-3aa7-5101-93e4-21c54bf8057d", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.258Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.ComponentModel.Annotations.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.611Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "04113c8549185519f3202790ceb23df609644872b9c249a56d2bcf59566102c4", "2021-09-16T22:52:32.766Z", 43152, "code42-exfil-share-datatype", "7d3d14b0417a68ccdd9c51972ff74863", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.258Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.391Z 804e3b095828 Skyformation - 4479317194261044647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520391 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-debug-l1-1-0.dll fsize=11648 msg=Resource [Resource: file :: api-ms-win-core-debug-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.391Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-debug-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.185Z ext_md5Checksum=5c7fa0b68872c2d1d3f10601e3af2341 ext_sharedWith=[] ext_sha256Checksum=375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11648 ext_insertionTimestamp=2021-09-16T22:51:22.314714Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.181Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_71\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.391Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314714Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-debug-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11648,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"5c7fa0b68872c2d1d3f10601e3af2341\",\"sha256Checksum\":\"375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477\",\"createTimestamp\":\"2021-09-08T09:32:11.181Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.185Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_8_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_8_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-76f5923e-90cb-5871-a068-f325c3b14df5", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.391Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-debug-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.185Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "375f6efc1cd8eccf46be4129dea4b6517ee214fd193c6af09aa6a3b044c2a477", "2021-09-16T22:52:32.758Z", 11648, "code42-exfil-share-datatype", "5c7fa0b68872c2d1d3f10601e3af2341", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.391Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.181Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:59:02.980Z 804e3b095828 Skyformation - 4278846075478692153 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 dproc=file events dtz=default-tenant end=1631833142980 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=0:0:0:0:0:0:0:1%lo0 ext_filePath=/Users/kathy.kane/.scripts/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_privateIpAddresses_4_=fe80:0:0:0:1c63:eb97:f588:24d0%en0 ext_eventTimestamp=2021-09-16T22:59:02.980Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=950699765112475617 ext_fileType=FILE ext_privateIpAddresses_3_=172.20.64.15 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=kathy.kane ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:59:00.670Z ext_md5Checksum=7a691f6c406d52373ad2c62e2f480bb3 ext_sharedWith=[] ext_privateIpAddresses_6_=fe80:0:0:0:8e53:1822:1548:a9ba%utun0 ext_sha256Checksum=1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:6616:2d2a:9d22:ad28%utun1 ext_fileCategoryByBytes=Document ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=6661803 ext_insertionTimestamp=2021-09-16T23:01:17.003636Z ext_privateIpAddresses_5_=127.0.0.1 ext_domainName=localhost ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:0:0:0:1%lo0 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-12T14:09:19.657Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=kathy.kane ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KATHYK-OSX (2) cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_950699765112475617_1025231633075795851_0\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:59:02.980Z\",\"insertionTimestamp\":\"2021-09-16T23:01:17.003636Z\",\"fieldErrors\":[],\"filePath\":\"/Users/kathy.kane/.scripts/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":6661803,\"fileOwner\":\"kathy.kane\",\"md5Checksum\":\"7a691f6c406d52373ad2c62e2f480bb3\",\"sha256Checksum\":\"1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3\",\"createTimestamp\":\"2020-08-12T14:09:19.657Z\",\"modifyTimestamp\":\"2021-09-16T22:59:00.670Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":\"KATHYK-OSX (2)\",\"domainName\":\"localhost\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"0:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:0:0:0:1%lo0\",\"fe80:0:0:0:6616:2d2a:9d22:ad28%utun1\",\"172.20.64.15\",\"fe80:0:0:0:1c63:eb97:f588:24d0%en0\",\"127.0.0.1\",\"fe80:0:0:0:8e53:1822:1548:a9ba%utun0\"],\"deviceUid\":\"950699765112475617\",\"userUid\":\"886897886179661430\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"kathy.kane\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:59:02Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_1_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_1_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-44f8d201-58cc-59b9-97c3-f246c522fbbf", "observed_start_time": "2021-09-16T22:59:02Z", "count": 1, "observable_type": "ip", "ctr_uuid": "2b62502c-3789-473e-82ed-1635c31f6ebb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:59:02.980Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KATHYK-OSX (2)", "localhost", "2021-09-16T22:59:00.670Z", "text/plain", "MODIFIED", "162.222.47.183", "kathy.kane", "1ca1d5dc9c8c97a6a859a13435ea3b95b558c6db563e3935d6baa44b36d745a3", "2021-09-16T23:02:30.314Z", 6661803, "code42-exfil-share-datatype", "7a691f6c406d52373ad2c62e2f480bb3", 57848, "false", "TRUE", "/Users/kathy.kane/.scripts/", "Document", "kathy.kane", "FILE", "886897886179661430", "2021-09-16T22:59:02.980Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-08-12T14:09:19.657Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.194Z 804e3b095828 Skyformation - 8896522640953240289 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502194 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.Extensions.Options.dll fsize=50552 msg=Resource [Resource: file :: Microsoft.Extensions.Options.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.194Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.Extensions.Options.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.917Z ext_md5Checksum=89c3d573e8b2e5a71850a69f14fff1a5 ext_sharedWith=[] ext_sha256Checksum=8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=50552 ext_insertionTimestamp=2021-09-16T22:51:15.336844Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.786Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_450\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.194Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336844Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.Extensions.Options.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":50552,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"89c3d573e8b2e5a71850a69f14fff1a5\",\"sha256Checksum\":\"8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c\",\"createTimestamp\":\"2021-08-26T09:51:56.786Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.917Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d48070bb-5f27-5c2d-988d-60be6d9b5bf9", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.194Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.Extensions.Options.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.917Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "8f2d9fd3415a9e87e92d56a257464b54cc20790a00030d25939f7cc562cb8c2c", "2021-09-16T22:52:32.763Z", 50552, "code42-exfil-share-datatype", "89c3d573e8b2e5a71850a69f14fff1a5", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.194Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.786Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.199Z 804e3b095828 Skyformation - 6939005988968345766 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521199 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-runtime-l1-1-0.dll fsize=16248 msg=Resource [Resource: file :: api-ms-win-crt-runtime-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.199Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-runtime-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.870Z ext_md5Checksum=439e89fa2d4882b639df5e8ec7a96ba3 ext_sharedWith=[] ext_sha256Checksum=30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=16248 ext_insertionTimestamp=2021-09-16T22:51:22.315098Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.868Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_104\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.199Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315098Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-runtime-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":16248,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"439e89fa2d4882b639df5e8ec7a96ba3\",\"sha256Checksum\":\"30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862\",\"createTimestamp\":\"2021-09-08T09:32:11.868Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.870Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a0d1586a-980b-53db-a3bd-54d0da5b1f6c", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.199Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-runtime-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.870Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "30aaa8ee0fb41255338f5c27381abee21f813af9305a9c751e26664fdd78d862", "2021-09-16T22:52:32.759Z", 16248, "code42-exfil-share-datatype", "439e89fa2d4882b639df5e8ec7a96ba3", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.199Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.868Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:44.248Z 804e3b095828 Skyformation - 5118201545866640269 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832524248 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=ipcfile.dll fsize=519040 msg=Resource [Resource: file :: ipcfile.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:44.248Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=ipcfile.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:13.599Z ext_md5Checksum=c0ae22d4188ac20d9d83dd26ad0aabe8 ext_sharedWith=[] ext_sha256Checksum=f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=519040 ext_insertionTimestamp=2021-09-16T22:51:22.315215Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:13.591Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_327\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:44.248Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315215Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"ipcfile.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":519040,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"c0ae22d4188ac20d9d83dd26ad0aabe8\",\"sha256Checksum\":\"f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0\",\"createTimestamp\":\"2021-09-08T09:32:13.591Z\",\"modifyTimestamp\":\"2021-09-08T09:32:13.599Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:44Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-688ee4c8-f77c-5f46-9836-4348af79eaac", "observed_start_time": "2021-09-16T22:48:44Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:44.248Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "ipcfile.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:13.599Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f25b8096bcf9fa7a0e06c179922c0d7e8d21340975708a245e968ff55dfd98a0", "2021-09-16T22:52:32.766Z", 519040, "code42-exfil-share-datatype", "c0ae22d4188ac20d9d83dd26ad0aabe8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:44.248Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:13.591Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:57:00.388Z 804e3b095828 Skyformation - 828612858482025544 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 dproc=file events dtz=default-tenant end=1631833020388 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:57:00.388Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:56:59.574Z ext_md5Checksum=8efa479f501fce555f0d148ed15700ff ext_sharedWith=[] ext_sha256Checksum=7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:58:23.763511Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231343021946004_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:57:00.388Z\",\"insertionTimestamp\":\"2021-09-16T22:58:23.763511Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"8efa479f501fce555f0d148ed15700ff\",\"sha256Checksum\":\"7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T22:56:59.574Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:57:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-16c0c82f-103f-5735-8035-176b59587558", "observed_start_time": "2021-09-16T22:57:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "939e6101-de49-4225-a54a-08c9718d357c", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:57:00.388Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:56:59.574Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "7bc91022e4be446a342348618bafabeb31642961858735ec25bf78c3dc2bb2f0", "2021-09-16T23:00:29.721Z", 21, "code42-exfil-share-datatype", "8efa479f501fce555f0d148ed15700ff", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T22:57:00.388Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.201Z 804e3b095828 Skyformation - 359232887885853575 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520201 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.WebSocketClient.dll fsize=1103208 msg=Resource [Resource: file :: Microsoft.SharePoint.WebSocketClient.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.201Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.WebSocketClient.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.468Z ext_md5Checksum=e93c70df0faa580e8272c9c833238352 ext_sharedWith=[] ext_sha256Checksum=1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=1103208 ext_insertionTimestamp=2021-09-16T22:51:22.314355Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.457Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_11\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.201Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314355Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.WebSocketClient.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":1103208,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"e93c70df0faa580e8272c9c833238352\",\"sha256Checksum\":\"1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00\",\"createTimestamp\":\"2021-09-08T09:32:14.457Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.468Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-6c6ba0d2-5cb7-5fb4-b8fa-b1ddcca2b916", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.201Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.WebSocketClient.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.468Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "1ff734b6117094d73ce3c2a5d390450dfe317b1f4ebd226166a382be8ec12e00", "2021-09-16T22:52:32.763Z", 1103208, "code42-exfil-share-datatype", "e93c70df0faa580e8272c9c833238352", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.201Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.457Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.250Z 804e3b095828 Skyformation - 8852958614094471380 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502250 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Collections.Immutable.dll fsize=302216 msg=Resource [Resource: file :: System.Collections.Immutable.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.250Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Collections.Immutable.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-10T09:42:50.294Z ext_md5Checksum=d8203aedaabeac1e606cd0e2af397d01 ext_sharedWith=[] ext_sha256Checksum=2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=302216 ext_insertionTimestamp=2021-09-16T22:51:15.336984Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-10T09:42:45.246Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_466\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.250Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336984Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Collections.Immutable.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":302216,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"d8203aedaabeac1e606cd0e2af397d01\",\"sha256Checksum\":\"2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57\",\"createTimestamp\":\"2021-08-10T09:42:45.246Z\",\"modifyTimestamp\":\"2021-08-10T09:42:50.294Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a06655bf-1d69-5734-9385-bedd69f54dde", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.250Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Collections.Immutable.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-10T09:42:50.294Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "2f05a2c489c2d30a6cca346d4ce184323d70eb4f5afa6bed34d5800274444e57", "2021-09-16T22:52:32.760Z", 302216, "code42-exfil-share-datatype", "d8203aedaabeac1e606cd0e2af397d01", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.250Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-10T09:42:45.246Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:55:45.200Z 804e3b095828 Skyformation - 4568069721930504518 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 dproc=file events dtz=default-tenant end=1631832945200 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:55:45.200Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:55:44.294Z ext_md5Checksum=443f8cb00cc5111045099941ed333760 ext_sharedWith=[] ext_sha256Checksum=0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:56:57.527022Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231198450068611_2\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:55:45.200Z\",\"insertionTimestamp\":\"2021-09-16T22:56:57.527022Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"443f8cb00cc5111045099941ed333760\",\"sha256Checksum\":\"0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:55:44.294Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:55:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-88010803-a3bd-5c70-ad45-f8a8ff7c5250", "observed_start_time": "2021-09-16T22:55:45Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:55:45.200Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:55:44.294Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "0f49d75d85058da051eee3712fe1332bc5b220726d3bcd1cff60fc47496cba59", "2021-09-16T22:58:29.756Z", 21, "code42-exfil-share-datatype", "443f8cb00cc5111045099941ed333760", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:55:45.200Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:31.153Z 804e3b095828 Skyformation - 7474122321591613513 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832511153 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=msoimm.dll fsize=11529088 msg=Resource [Resource: file :: msoimm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:31.153Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=msoimm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:53.564Z ext_md5Checksum=3f7fb1d32a7be58e65dc615a9553e183 ext_sharedWith=[] ext_sha256Checksum=052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=11529088 ext_insertionTimestamp=2021-09-16T22:51:15.337748Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:50.183Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_773\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:31.153Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337748Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"msoimm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":11529088,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3f7fb1d32a7be58e65dc615a9553e183\",\"sha256Checksum\":\"052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc\",\"createTimestamp\":\"2021-08-23T09:31:50.183Z\",\"modifyTimestamp\":\"2021-08-23T09:31:53.564Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:31Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c11cb0c5-6ce6-53e6-990a-3db70bde087e", "observed_start_time": "2021-09-16T22:48:31Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:31.153Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "msoimm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:53.564Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "052b6cd13d776cb06969a22a0f29ed3680e04d4f9a78c20bee16dea7fa0cfbcc", "2021-09-16T22:52:32.766Z", 11529088, "code42-exfil-share-datatype", "3f7fb1d32a7be58e65dc615a9553e183", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:31.153Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:50.183Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:19.132Z 804e3b095828 Skyformation - 3802637367508783235 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832499132 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationTypes.resources.dll fsize=17296 msg=Resource [Resource: file :: UIAutomationTypes.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:19.132Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationTypes.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:48.113Z ext_md5Checksum=b81fa8bc88192c7febd2479638aea569 ext_sharedWith=[] ext_sha256Checksum=957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=17296 ext_insertionTimestamp=2021-09-16T22:51:15.334824Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.158Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_225\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:19.132Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334824Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/\",\"fileName\":\"UIAutomationTypes.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":17296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"b81fa8bc88192c7febd2479638aea569\",\"sha256Checksum\":\"957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418\",\"createTimestamp\":\"2021-08-18T09:55:42.158Z\",\"modifyTimestamp\":\"2021-08-18T09:55:48.113Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:19Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-80f4bd35-8d77-5832-82bc-6e851b01ab6a", "observed_start_time": "2021-09-16T22:48:19Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:19.132Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationTypes.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:48.113Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "957f3ec3bc08684456513d5cf6504db65d3bc5a94520ceaa881219b4479cc418", "2021-09-16T22:52:32.759Z", 17296, "code42-exfil-share-datatype", "b81fa8bc88192c7febd2479638aea569", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/it/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:19.132Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.158Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:00.461Z 804e3b095828 Skyformation - 4596085183447228781 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 dproc=file events dtz=default-tenant end=1631833380461 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=keri.prichard@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.164 ext_filePath=C:/Users/keri.prichard/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:00.461Z ext_fileClassifications=[] ext_userUid=966201252013468837 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968423512854283047 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=keri.prichard ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:02:59.649Z ext_md5Checksum=3466b521c7f5908415eda20dae617805 ext_sharedWith=[] ext_sha256Checksum=323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=keri.prichard@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:03:49.475785Z ext_domainName=KERIP-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-21T01:28:08.235Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=KERIP-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968423512854283047_1025231888466015380_6\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:00.461Z\",\"insertionTimestamp\":\"2021-09-16T23:03:49.475785Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/keri.prichard/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"3466b521c7f5908415eda20dae617805\",\"sha256Checksum\":\"323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a\",\"createTimestamp\":\"2020-08-21T01:28:08.235Z\",\"modifyTimestamp\":\"2021-09-16T23:02:59.649Z\",\"deviceUserName\":\"keri.prichard@example.edu\",\"osHostName\":\"KERIP-OFFICIAL-\",\"domainName\":\"KERIP-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.164\",\"fe80:0:0:0:b4cf:2ab0:1512:34f1%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"968423512854283047\",\"userUid\":\"966201252013468837\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"keri.prichard\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:00Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-7e0b6d27-4e43-591e-bfda-6a6ab3f6874a", "observed_start_time": "2021-09-16T23:03:00Z", "count": 1, "observable_type": "ip", "ctr_uuid": "acc3331d-c05a-44d1-b1e8-276faa688494", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:00.461Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "KERIP-OFFICIAL-", "KERIP-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:02:59.649Z", "text/plain", "MODIFIED", "162.222.47.183", "keri.prichard", "323b7e0ca2fa171ffbdb47339631549432b70d051e18904147f720b310ef653a", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "3466b521c7f5908415eda20dae617805", 57848, "false", "TRUE", "C:/Users/keri.prichard/", "Document", "Administrators", "FILE", "966201252013468837", "2021-09-16T23:03:00.461Z", "keri.prichard@example.edu", "keri.prichard@example.edu", "2020-08-21T01:28:08.235Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.136Z 804e3b095828 Skyformation - 8236532684077417727 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502136 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.AspNetCore.SignalR.Client.dll fsize=18296 msg=Resource [Resource: file :: Microsoft.AspNetCore.SignalR.Client.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.136Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.AspNetCore.SignalR.Client.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-26T09:52:02.839Z ext_md5Checksum=987db26b17dc24d5b7dec25db1c103c2 ext_sharedWith=[] ext_sha256Checksum=f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:15.336703Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-26T09:51:56.755Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_434\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.136Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336703Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Microsoft.AspNetCore.SignalR.Client.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"987db26b17dc24d5b7dec25db1c103c2\",\"sha256Checksum\":\"f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5\",\"createTimestamp\":\"2021-08-26T09:51:56.755Z\",\"modifyTimestamp\":\"2021-08-26T09:52:02.839Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-25c017fd-4f45-5914-beb2-bc15656fec2f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.136Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.AspNetCore.SignalR.Client.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-26T09:52:02.839Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "f752289e0c4bc791af0ea382dbd416d8fefbe09c09f7878a53f011c6807e95c5", "2021-09-16T22:52:32.759Z", 18296, "code42-exfil-share-datatype", "987db26b17dc24d5b7dec25db1c103c2", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.136Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-26T09:51:56.755Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:27.281Z 804e3b095828 Skyformation - 8237112750594349726 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832507281 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=HxComm.dll fsize=22965248 msg=Resource [Resource: file :: HxComm.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:27.281Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=HxComm.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-23T09:31:51.480Z ext_md5Checksum=3bf2cfa3eeecd650c9564a2b6543b398 ext_sharedWith=[] ext_sha256Checksum=651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=22965248 ext_insertionTimestamp=2021-09-16T22:51:15.337345Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-23T09:31:49.902Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_524\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:27.281Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337345Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/\",\"fileName\":\"HxComm.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":22965248,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3bf2cfa3eeecd650c9564a2b6543b398\",\"sha256Checksum\":\"651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680\",\"createTimestamp\":\"2021-08-23T09:31:49.902Z\",\"modifyTimestamp\":\"2021-08-23T09:31:51.480Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:27Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-faf386d2-1897-5faa-9341-f6a5fc3c9de2", "observed_start_time": "2021-09-16T22:48:27Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:27.281Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "HxComm.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-23T09:31:51.480Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "651b082b4e471bd42f0c57c2e718e5b30244f66c2063e8f76268c29f0eca6680", "2021-09-16T22:52:32.760Z", 22965248, "code42-exfil-share-datatype", "3bf2cfa3eeecd650c9564a2b6543b398", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:27.281Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-23T09:31:49.902Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:51:23.336Z 804e3b095828 Skyformation - 869866733287153498 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 dproc=file events dtz=default-tenant end=1631832683336 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:51:23.336Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:51:22.415Z ext_md5Checksum=1a91631bf8b9e8f8eebc32c23d289b00 ext_sharedWith=[] ext_sha256Checksum=528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T22:52:47.736678Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025230780274218893_1\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:51:23.336Z\",\"insertionTimestamp\":\"2021-09-16T22:52:47.736678Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"1a91631bf8b9e8f8eebc32c23d289b00\",\"sha256Checksum\":\"528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T22:51:22.415Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:51:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_13_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_13_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-906a35f1-be54-5c29-beb5-915c1a319598", "observed_start_time": "2021-09-16T22:51:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:51:23.336Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:51:22.415Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "528a239ffe5363c9f043a73a62528d517150479ec608e1555b8e5eb0a8defdad", "2021-09-16T22:54:30.602Z", 21, "code42-exfil-share-datatype", "1a91631bf8b9e8f8eebc32c23d289b00", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T22:51:23.336Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:41.206Z 804e3b095828 Skyformation - 3894334357832369141 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832521206 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-crt-string-l1-1-0.dll fsize=18296 msg=Resource [Resource: file :: api-ms-win-crt-string-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:41.206Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-crt-string-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.883Z ext_md5Checksum=f340a17ac423c71767d66973f69d05c8 ext_sharedWith=[] ext_sha256Checksum=0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=18296 ext_insertionTimestamp=2021-09-16T22:51:22.315122Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.882Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_106\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:41.206Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315122Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-crt-string-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":18296,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"f340a17ac423c71767d66973f69d05c8\",\"sha256Checksum\":\"0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa\",\"createTimestamp\":\"2021-09-08T09:32:11.882Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.883Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:41Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3de744ae-c05b-5cad-b8ba-bf2e42b878c5", "observed_start_time": "2021-09-16T22:48:41Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:41.206Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-crt-string-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.883Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "0e3af87d3602a8117cf44c8868433c4a76e8df2148832e2dc02112dc5577eafa", "2021-09-16T22:52:32.761Z", 18296, "code42-exfil-share-datatype", "f340a17ac423c71767d66973f69d05c8", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:41.206Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.882Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:23.184Z 804e3b095828 Skyformation - 4108665445048386408 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832503184 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=libnanoapimanaged.dll fsize=7197696 msg=Resource [Resource: file :: libnanoapimanaged.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:23.184Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=libnanoapimanaged.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-09T09:44:34.359Z ext_md5Checksum=ff0f788645e78335908728321c10454b ext_sharedWith=[] ext_sha256Checksum=c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=7197696 ext_insertionTimestamp=2021-09-16T22:51:15.337194Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-09T09:44:28.638Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_494\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:23.184Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337194Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"libnanoapimanaged.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":7197696,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ff0f788645e78335908728321c10454b\",\"sha256Checksum\":\"c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c\",\"createTimestamp\":\"2021-09-09T09:44:28.638Z\",\"modifyTimestamp\":\"2021-09-09T09:44:34.359Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:23Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61478_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61478_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-3e1bc410-3631-5811-9b1f-f5830fe141bf", "observed_start_time": "2021-09-16T22:48:23Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:23.184Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "libnanoapimanaged.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-09T09:44:34.359Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c6e0e5df32db55088b5a584b536b87905b6c704f0cf608a913587aa725b0130c", "2021-09-16T22:52:32.759Z", 7197696, "code42-exfil-share-datatype", "ff0f788645e78335908728321c10454b", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:23.184Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-09T09:44:28.638Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.089Z 804e3b095828 Skyformation - 4576034695257961198 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502089 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Castle.Core.dll fsize=442368 msg=Resource [Resource: file :: Castle.Core.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.089Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Castle.Core.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:05.699Z ext_md5Checksum=2fba45e50a9fb187e9873416bc6b4400 ext_sharedWith=[] ext_sha256Checksum=9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=442368 ext_insertionTimestamp=2021-09-16T22:51:15.336572Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.137Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_419\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.089Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336572Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"Castle.Core.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":442368,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"2fba45e50a9fb187e9873416bc6b4400\",\"sha256Checksum\":\"9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23\",\"createTimestamp\":\"2021-05-13T09:36:01.137Z\",\"modifyTimestamp\":\"2021-05-13T09:36:05.699Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61474_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61474_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f6806eb-5784-52b4-93cd-fa869fedf5ed", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.089Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Castle.Core.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:05.699Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "9964a5c497dcaea9bc047c719869a1c5483f9f383311a045d320148e0df13a23", "2021-09-16T22:52:32.760Z", 442368, "code42-exfil-share-datatype", "2fba45e50a9fb187e9873416bc6b4400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.089Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.137Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:47.204Z 804e3b095828 Skyformation - 2394701283809720859 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832527204 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=OneDriveSetup.exe fsize=47927168 msg=Resource [Resource: file :: OneDriveSetup.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:47.204Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=OneDriveSetup.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-14T09:29:55.334Z ext_md5Checksum=82a458793a4b821e54408db1a0ae4124 ext_sharedWith=[] ext_sha256Checksum=3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=47927168 ext_insertionTimestamp=2021-09-16T22:51:22.315494Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-14T09:30:08.167Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_418\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:47.204Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.315494Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/\",\"fileName\":\"OneDriveSetup.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":47927168,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"82a458793a4b821e54408db1a0ae4124\",\"sha256Checksum\":\"3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4\",\"createTimestamp\":\"2021-09-14T09:30:08.167Z\",\"modifyTimestamp\":\"2021-09-14T09:29:55.334Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:47Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_5_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_5_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d31e6464-3207-5c61-87e3-a41b36564185", "observed_start_time": "2021-09-16T22:48:47Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:47.204Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "OneDriveSetup.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-14T09:29:55.334Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "3dfb050061f483200f5c1746c84b4dd826a6ff4928aac18c34e62c210f0347f4", "2021-09-16T22:52:32.761Z", 47927168, "code42-exfil-share-datatype", "82a458793a4b821e54408db1a0ae4124", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/Update/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:47.204Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-14T09:30:08.167Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:18.268Z 804e3b095828 Skyformation - 6335540438465677686 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832498268 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=45448 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:18.268Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:47.879Z ext_md5Checksum=c9ea75b02fd1d01f87d8ca868c1ec833 ext_sharedWith=[] ext_sha256Checksum=ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45448 ext_insertionTimestamp=2021-09-16T22:51:15.334477Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.111Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_185\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:18.268Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.334477Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45448,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"c9ea75b02fd1d01f87d8ca868c1ec833\",\"sha256Checksum\":\"ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d\",\"createTimestamp\":\"2021-08-18T09:55:42.111Z\",\"modifyTimestamp\":\"2021-08-18T09:55:47.879Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:18Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61475_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61475_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-c9f0fbfb-5ab6-542b-a192-b8fd98e410f9", "observed_start_time": "2021-09-16T22:48:18Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:18.268Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:47.879Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "ac067a4d7f80ecaf50dfcefcb751d8f00f883d6c532d986f28f335915869c96d", "2021-09-16T22:52:32.759Z", 45448, "code42-exfil-share-datatype", "c9ea75b02fd1d01f87d8ca868c1ec833", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/fr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:18.268Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.111Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:01.360Z 804e3b095828 Skyformation - 3885683649781971647 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 dproc=file events dtz=default-tenant end=1631833201360 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=lisa.anderson@example.edu ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.64.165 ext_filePath=C:/Users/lisa.anderson/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:01.360Z ext_fileClassifications=[] ext_userUid=966200991614299301 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=968364480722593364 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=lisa.anderson ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:00.548Z ext_md5Checksum=6ef406323b86ee9fc610e512e565eceb ext_sharedWith=[] ext_sha256Checksum=a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606 ext_exposure=[] ext_privateIpAddresses_2_=fe80:0:0:0:554a:3c40:b35b:f26b%eth4 ext_fileCategoryByBytes=Document ext_deviceUserName=lisa.anderson@example.edu ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:01:26.761677Z ext_domainName=LISAA-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-20T15:35:40.032Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=LISAA-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_968364480722593364_1025231649034898014_5\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:01.360Z\",\"insertionTimestamp\":\"2021-09-16T23:01:26.761677Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/lisa.anderson/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"6ef406323b86ee9fc610e512e565eceb\",\"sha256Checksum\":\"a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606\",\"createTimestamp\":\"2020-08-20T15:35:40.032Z\",\"modifyTimestamp\":\"2021-09-16T23:00:00.548Z\",\"deviceUserName\":\"lisa.anderson@example.edu\",\"osHostName\":\"LISAA-OFFICIAL-\",\"domainName\":\"LISAA-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.64.165\",\"0:0:0:0:0:0:0:1\",\"fe80:0:0:0:554a:3c40:b35b:f26b%eth4\",\"127.0.0.1\"],\"deviceUid\":\"968364480722593364\",\"userUid\":\"966200991614299301\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"lisa.anderson\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:01Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_0_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_0_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b5131dad-59b7-5e9c-af0c-bd9880bf8180", "observed_start_time": "2021-09-16T23:00:01Z", "count": 1, "observable_type": "ip", "ctr_uuid": "82ff18f9-a2f2-468e-b769-864955bf9f94", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:01.360Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "LISAA-OFFICIAL-", "LISAA-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:00.548Z", "text/plain", "MODIFIED", "162.222.47.183", "lisa.anderson", "a33ceed3e56d192c4c0a1d95e61c82a90cd168c851dbfa50d0404bed54de4606", "2021-09-16T23:02:30.314Z", 21, "code42-exfil-share-datatype", "6ef406323b86ee9fc610e512e565eceb", 57848, "false", "TRUE", "C:/Users/lisa.anderson/", "Document", "Administrators", "FILE", "966200991614299301", "2021-09-16T23:00:01.360Z", "lisa.anderson@example.edu", "lisa.anderson@example.edu", "2020-08-20T15:35:40.032Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.158Z 804e3b095828 Skyformation - 2697794621667201591 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501158 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=UIAutomationProvider.resources.dll fsize=14224 msg=Resource [Resource: file :: UIAutomationProvider.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.158Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=UIAutomationProvider.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.849Z ext_md5Checksum=f96e04ea6cbce1560b83bff7a42f29b0 ext_sharedWith=[] ext_sha256Checksum=c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=14224 ext_insertionTimestamp=2021-09-16T22:51:15.336139Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_369\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.158Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336139Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"UIAutomationProvider.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":14224,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"f96e04ea6cbce1560b83bff7a42f29b0\",\"sha256Checksum\":\"c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.849Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61476_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61476_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a7debce1-3ffd-50ca-b4dd-86c49407a4b2", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.158Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "UIAutomationProvider.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.849Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "c0609c9621627c09eb06b42b320555850ee8cd00ea8dfe515f520b2ca778cde9", "2021-09-16T22:52:32.763Z", 14224, "code42-exfil-share-datatype", "f96e04ea6cbce1560b83bff7a42f29b0", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.158Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:00:53.518Z 804e3b095828 Skyformation - 9157518344019267215 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 dproc=file events dtz=default-tenant end=1631833253518 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=alex.cooper@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=172.20.65.62 ext_filePath=C:/Users/alex.cooper/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:00:53.518Z ext_fileClassifications=[] ext_userUid=925771637667629373 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944595906935824510 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=alex.cooper ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:00:52.603Z ext_md5Checksum=07123ecb22ebf61f593efe09b307cb58 ext_sharedWith=[] ext_sha256Checksum=6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=alex.cooper@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:35.401169Z ext_domainName=ALEXC-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:57:46.726Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ALEXC-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944595906935824510_1025231769157847802_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:00:53.518Z\",\"insertionTimestamp\":\"2021-09-16T23:02:35.401169Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/alex.cooper/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"07123ecb22ebf61f593efe09b307cb58\",\"sha256Checksum\":\"6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217\",\"createTimestamp\":\"2020-08-14T13:57:46.726Z\",\"modifyTimestamp\":\"2021-09-16T23:00:52.603Z\",\"deviceUserName\":\"alex.cooper@c42se.com\",\"osHostName\":\"ALEXC-OFFICIAL-\",\"domainName\":\"ALEXC-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"172.20.65.62\",\"fe80:0:0:0:d0a7:7d2c:ac2a:37db%eth4\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"944595906935824510\",\"userUid\":\"925771637667629373\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"alex.cooper\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:00:53Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_14_61484_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_14_61484_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-0f0674ff-844f-5bef-96fa-3838e5680bbb", "observed_start_time": "2021-09-16T23:00:53Z", "count": 1, "observable_type": "ip", "ctr_uuid": "8b4565a6-1f89-498b-bd58-e2b514f127a1", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:00:53.518Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ALEXC-OFFICIAL-", "ALEXC-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:00:52.603Z", "text/plain", "MODIFIED", "162.222.47.183", "alex.cooper", "6abee9b25bc357269009a03b5f271fb3aaa60c3beab8cd9d68a230bea1dfd217", "2021-09-16T23:04:29.765Z", 21, "code42-exfil-share-datatype", "07123ecb22ebf61f593efe09b307cb58", 57848, "false", "TRUE", "C:/Users/alex.cooper/", "Document", "Administrators", "FILE", "925771637667629373", "2021-09-16T23:00:53.518Z", "alex.cooper@c42se.com", "alex.cooper@c42se.com", "2020-08-14T13:57:46.726Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.207Z 804e3b095828 Skyformation - 7302095682313925819 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520207 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=Microsoft.SharePoint.exe fsize=729448 msg=Resource [Resource: file :: Microsoft.SharePoint.exe] was deleted by [darnell.waters@c42se.com] outcome=Executable proto=exe requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.207Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=Microsoft.SharePoint.exe ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-dosexec ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:14.217Z ext_md5Checksum=4bb5499613eca0fe0670a3cab2d5318e ext_sharedWith=[] ext_sha256Checksum=4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=729448 ext_insertionTimestamp=2021-09-16T22:51:22.314378Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:14.205Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_13\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.207Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314378Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"Microsoft.SharePoint.exe\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":729448,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"4bb5499613eca0fe0670a3cab2d5318e\",\"sha256Checksum\":\"4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636\",\"createTimestamp\":\"2021-09-08T09:32:14.205Z\",\"modifyTimestamp\":\"2021-09-08T09:32:14.217Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-dosexec\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-e2f84dc5-c14e-5c9e-8387-08f1c5f04b0d", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.207Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "Microsoft.SharePoint.exe", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:14.217Z", "application/x-dosexec", "DELETED", "162.222.47.183", "darnell.waters", "4d68518bdf24b709cd96d64d292ffc7783c20f12463575c4b3c58b527ccc7636", "2021-09-16T22:52:32.764Z", 729448, "code42-exfil-share-datatype", "4bb5499613eca0fe0670a3cab2d5318e", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.207Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:14.205Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:21.134Z 804e3b095828 Skyformation - 1979111271936407271 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832501134 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Windows.Forms.Design.Editors.resources.dll fsize=78200 msg=Resource [Resource: file :: System.Windows.Forms.Design.Editors.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:21.134Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Windows.Forms.Design.Editors.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:53.771Z ext_md5Checksum=3feb5a138ff178c1dd47a8a99f394517 ext_sharedWith=[] ext_sha256Checksum=5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=78200 ext_insertionTimestamp=2021-09-16T22:51:15.336077Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.596Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_362\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:21.134Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336077Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/\",\"fileName\":\"System.Windows.Forms.Design.Editors.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":78200,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"3feb5a138ff178c1dd47a8a99f394517\",\"sha256Checksum\":\"5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30\",\"createTimestamp\":\"2021-08-18T09:55:42.596Z\",\"modifyTimestamp\":\"2021-08-18T09:55:53.771Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:21Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_16_61472_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_16_61472_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-df2ba03f-9021-5a29-9af0-4d748fd81b32", "observed_start_time": "2021-09-16T22:48:21Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:21.134Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Windows.Forms.Design.Editors.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:53.771Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "5b3ae16f4ee000b1926db004305eba00196183ade283383e16c9e8d171384c30", "2021-09-16T22:52:32.759Z", 78200, "code42-exfil-share-datatype", "3feb5a138ff178c1dd47a8a99f394517", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/tr/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:21.134Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.596Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:58:45.240Z 804e3b095828 Skyformation - 1503382521195344208 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 dproc=file events dtz=default-tenant end=1631833125240 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=eric.strauss@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:10bc:b19:239f:6063%eth4 ext_filePath=C:/Users/eric.strauss/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T22:58:45.240Z ext_fileClassifications=[] ext_userUid=886924612955838070 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=949085489986461736 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=eric.strauss ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T22:58:44.334Z ext_md5Checksum=4d815e327303356a651e8f6309dbddb2 ext_sharedWith=[] ext_sha256Checksum=44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Document ext_deviceUserName=eric.strauss@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:02:23.643528Z ext_domainName=ERICS-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=172.20.65.70 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T13:40:10.269Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=ERICS-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_949085489986461736_1025231743877360771_4\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T22:58:45.240Z\",\"insertionTimestamp\":\"2021-09-16T23:02:23.643528Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/eric.strauss/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"4d815e327303356a651e8f6309dbddb2\",\"sha256Checksum\":\"44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e\",\"createTimestamp\":\"2020-08-14T13:40:10.269Z\",\"modifyTimestamp\":\"2021-09-16T22:58:44.334Z\",\"deviceUserName\":\"eric.strauss@c42se.com\",\"osHostName\":\"ERICS-OFFICIAL-\",\"domainName\":\"ERICS-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:10bc:b19:239f:6063%eth4\",\"172.20.65.70\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"949085489986461736\",\"userUid\":\"886924612955838070\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"eric.strauss\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:58:45Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_4_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_4_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-1c9475b8-bc10-5f3a-a528-b8a5ae119847", "observed_start_time": "2021-09-16T22:58:45Z", "count": 1, "observable_type": "ip", "ctr_uuid": "ac383ed4-03ef-4ca4-ab67-7192058fdf33", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:58:45.240Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "ERICS-OFFICIAL-", "ERICS-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T22:58:44.334Z", "text/plain", "MODIFIED", "162.222.47.183", "eric.strauss", "44b2119992fd6873701b6ab7062bf5a7e7f5d8108b6984d306a39df7279cec2e", "2021-09-16T23:04:29.763Z", 21, "code42-exfil-share-datatype", "4d815e327303356a651e8f6309dbddb2", 57848, "false", "TRUE", "C:/Users/eric.strauss/", "Document", "Administrators", "FILE", "886924612955838070", "2021-09-16T22:58:45.240Z", "eric.strauss@c42se.com", "eric.strauss@c42se.com", "2020-08-14T13:40:10.269Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.246Z 804e3b095828 Skyformation - 777452173831288868 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502246 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Buffers.dll fsize=20856 msg=Resource [Resource: file :: System.Buffers.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.246Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Buffers.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2020-05-21T13:19:04.607Z ext_md5Checksum=ecdfe8ede869d2ccc6bf99981ea96400 ext_sharedWith=[] ext_sha256Checksum=accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=20856 ext_insertionTimestamp=2021-09-16T22:51:15.336975Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-05-21T13:18:58.619Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_465\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.246Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.336975Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Buffers.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":20856,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"ecdfe8ede869d2ccc6bf99981ea96400\",\"sha256Checksum\":\"accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb\",\"createTimestamp\":\"2020-05-21T13:18:58.619Z\",\"modifyTimestamp\":\"2020-05-21T13:19:04.607Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_2_61479_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_2_61479_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-eb0c66e8-84ad-581a-9f9a-25cebb09004f", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.246Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Buffers.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2020-05-21T13:19:04.607Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb", "2021-09-16T22:52:32.759Z", 20856, "code42-exfil-share-datatype", "ecdfe8ede869d2ccc6bf99981ea96400", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.246Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2020-05-21T13:18:58.619Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:20.307Z 804e3b095828 Skyformation - 2428909997723233588 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832500307 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=PresentationUI.resources.dll fsize=53112 msg=Resource [Resource: file :: PresentationUI.resources.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:20.307Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=PresentationUI.resources.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-08-18T09:55:50.098Z ext_md5Checksum=0bf7eed5f18b294cd26d33a71c831237 ext_sharedWith=[] ext_sha256Checksum=64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=53112 ext_insertionTimestamp=2021-09-16T22:51:15.335765Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-08-18T09:55:42.377Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_330\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:20.307Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.335765Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/\",\"fileName\":\"PresentationUI.resources.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":53112,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"0bf7eed5f18b294cd26d33a71c831237\",\"sha256Checksum\":\"64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28\",\"createTimestamp\":\"2021-08-18T09:55:42.377Z\",\"modifyTimestamp\":\"2021-08-18T09:55:50.098Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:20Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_7_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_7_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-dd407cc3-3f46-5b52-b2e8-65ebc0e516ed", "observed_start_time": "2021-09-16T22:48:20Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:20.307Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "PresentationUI.resources.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-08-18T09:55:50.098Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "64c0704e3ec41502c34009f9dc53a089573441dc6081be99657a053f5610aa28", "2021-09-16T22:52:32.764Z", 53112, "code42-exfil-share-datatype", "0bf7eed5f18b294cd26d33a71c831237", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneAppProxy/ru/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:20.307Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-08-18T09:55:42.377Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:03:22.644Z 804e3b095828 Skyformation - 273274590069601610 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 dproc=file events dtz=default-tenant end=1631833402644 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=john.miller@c42se.com ext_fileCategoryByExtension=Document ext_privateIpAddresses_0_=fe80:0:0:0:39e1:db68:87a4:441c%eth3 ext_filePath=C:/Users/john.miller/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:03:22.644Z ext_fileClassifications=[] ext_userUid=920256648733700755 ext_riskScore=0 ext_fileName=modify_me.txt ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=text/plain ext_deviceUid=944596934062634167 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=john.miller ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-16T23:03:22.573Z ext_md5Checksum=b65499280f2f8d7b7151a3fa44c0a24f ext_sharedWith=[] ext_sha256Checksum=417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38 ext_exposure=[] ext_privateIpAddresses_2_=172.20.64.238 ext_fileCategoryByBytes=Document ext_deviceUserName=john.miller@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=21 ext_insertionTimestamp=2021-09-16T23:09:05.264820Z ext_domainName=JOHNM-OFFICIAL-WIN10.qa.code42.com ext_eventType=MODIFIED ext_privateIpAddresses_1_=0:0:0:0:0:0:0:1 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2020-08-14T14:36:29.460Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=text/plain ext_tabs=[] ext_fileOwner=Administrators ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=JOHNM-OFFICIAL- cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_944596934062634167_1025232418116376461_8\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:03:22.644Z\",\"insertionTimestamp\":\"2021-09-16T23:09:05.264820Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/john.miller/\",\"fileName\":\"modify_me.txt\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Document\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":21,\"fileOwner\":\"Administrators\",\"md5Checksum\":\"b65499280f2f8d7b7151a3fa44c0a24f\",\"sha256Checksum\":\"417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38\",\"createTimestamp\":\"2020-08-14T14:36:29.460Z\",\"modifyTimestamp\":\"2021-09-16T23:03:22.573Z\",\"deviceUserName\":\"john.miller@c42se.com\",\"osHostName\":\"JOHNM-OFFICIAL-\",\"domainName\":\"JOHNM-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:39e1:db68:87a4:441c%eth3\",\"0:0:0:0:0:0:0:1\",\"172.20.64.238\",\"127.0.0.1\"],\"deviceUid\":\"944596934062634167\",\"userUid\":\"920256648733700755\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"text/plain\",\"mimeTypeByExtension\":\"text/plain\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"john.miller\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:03:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_15_61480_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_15_61480_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-72310698-525a-5a66-a3ee-20a1deca64d3", "observed_start_time": "2021-09-16T23:03:22Z", "count": 1, "observable_type": "ip", "ctr_uuid": "78ece332-023a-4318-975d-a6c6d25a3ffb", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:03:22.644Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Endpoint", "modify_me.txt", "JOHNM-OFFICIAL-", "JOHNM-OFFICIAL-WIN10.qa.code42.com", "2021-09-16T23:03:22.573Z", "text/plain", "MODIFIED", "162.222.47.183", "john.miller", "417d1ac6034432f98e4a23ec2d128cf68066668dbd832f73567872bec764cb38", "2021-09-16T23:38:30.159Z", 21, "code42-exfil-share-datatype", "b65499280f2f8d7b7151a3fa44c0a24f", 57848, "false", "TRUE", "C:/Users/john.miller/", "Document", "Administrators", "FILE", "920256648733700755", "2021-09-16T23:03:22.644Z", "john.miller@c42se.com", "john.miller@c42se.com", "2020-08-14T14:36:29.460Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:40.411Z 804e3b095828 Skyformation - 6642968334963508602 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 dproc=file events dtz=default-tenant duid=username duser=darnell.waters end=1631832520411 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=api-ms-win-core-libraryloader-l1-1-0.dll fsize=12664 msg=Resource [Resource: file :: api-ms-win-core-libraryloader-l1-1-0.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:40.411Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=api-ms-win-core-libraryloader-l1-1-0.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-08T09:32:11.402Z ext_md5Checksum=94d4e2bb8654b77c41cd35574e3f0299 ext_sharedWith=[] ext_sha256Checksum=129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=12664 ext_insertionTimestamp=2021-09-16T22:51:22.314807Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-09-08T09:32:11.401Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload ext_tabs=[] ext_fileOwner=darnell.waters ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230636161503523_79\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:40.411Z\",\"insertionTimestamp\":\"2021-09-16T22:51:22.314807Z\",\"fieldErrors\":[],\"filePath\":\"C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/\",\"fileName\":\"api-ms-win-core-libraryloader-l1-1-0.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":12664,\"fileOwner\":\"darnell.waters\",\"md5Checksum\":\"94d4e2bb8654b77c41cd35574e3f0299\",\"sha256Checksum\":\"129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082\",\"createTimestamp\":\"2021-09-08T09:32:11.401Z\",\"modifyTimestamp\":\"2021-09-08T09:32:11.402Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:40Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_10_61481_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_10_61481_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-d3a79e39-11d3-53f1-b007-2ec9ea47ae64", "observed_start_time": "2021-09-16T22:48:40Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:40.411Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "api-ms-win-core-libraryloader-l1-1-0.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-09-08T09:32:11.402Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "129b896380878b6ebd1afb882561b173f742cc64ca8ec8662609b47d17f18082", "2021-09-16T22:52:32.762Z", 12664, "code42-exfil-share-datatype", "94d4e2bb8654b77c41cd35574e3f0299", 57848, "false", "TRUE", "C:/Users/darnell.waters/AppData/Local/Microsoft/OneDrive/21.175.0829.0001/", "Executable", "darnell.waters", "FILE", "902428473202283166", "2021-09-16T22:48:40.411Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-09-08T09:32:11.401Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T22:48:22.288Z 804e3b095828 Skyformation - 4544163005827909122 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-resource-deleted|resource-deleted|0|cat=application-data cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 dproc=file events dtz=default-tenant duid=username duser=SYSTEM end=1631832502288 fileHash=File filePath=N/A fileType=file flexString1=DELETED flexString1Label=application-action fname=System.Threading.Channels.dll fsize=45952 msg=Resource [Resource: file :: System.Threading.Channels.dll] was deleted by [darnell.waters@c42se.com] proto=dll requestClientApplication=Code42 - DEMO src=162.222.47.183 suid=username suser=darnell.waters@c42se.com ext_fileCategoryByExtension=Executable ext_privateIpAddresses_0_=fe80:0:0:0:1d77:dcdf:c593:1143%eth4 ext_filePath=C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/ ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Executable ext_eventTimestamp=2021-09-16T22:48:22.288Z ext_fileClassifications=[] ext_userUid=902428473202283166 ext_riskScore=0 ext_fileName=System.Threading.Channels.dll ext_eventId=0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/x-msdownload ext_deviceUid=1017088719733184290 ext_fileType=FILE ext_privateIpAddresses_3_=127.0.0.1 ext_directoryId=[] ext_remoteActivity=TRUE ext_operatingSystemUser=darnell.waters ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-05-13T09:36:06.230Z ext_md5Checksum=523c15d2368a36583c90119fd9f52fe7 ext_sharedWith=[] ext_sha256Checksum=6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0 ext_exposure=[] ext_privateIpAddresses_2_=0:0:0:0:0:0:0:1 ext_fileCategoryByBytes=Executable ext_deviceUserName=darnell.waters@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_trusted=false ext_outsideActiveHours=false ext_fileSize=45952 ext_insertionTimestamp=2021-09-16T22:51:15.337062Z ext_domainName=DARNELLW-OFFICIAL-WIN10.qa.code42.com ext_eventType=DELETED ext_privateIpAddresses_1_=172.20.65.55 ext_source=Endpoint ext_publicIpAddress=162.222.47.183 ext_createTimestamp=2021-05-13T09:36:01.168Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-msdownload; format\\=pe32 ext_tabs=[] ext_fileOwner=SYSTEM ext_removableMediaPartitionId=[] ext_windowTitle=[] ext_osHostName=DARNELLW-OFFICI cs6={\"eventId\":\"0_c4b5e830-824a-40a3-a6d9-345664cfbb33_1017088719733184290_1025230594335904035_475\",\"eventType\":\"DELETED\",\"eventTimestamp\":\"2021-09-16T22:48:22.288Z\",\"insertionTimestamp\":\"2021-09-16T22:51:15.337062Z\",\"fieldErrors\":[],\"filePath\":\"C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/\",\"fileName\":\"System.Threading.Channels.dll\",\"fileType\":\"FILE\",\"fileCategory\":\"Executable\",\"fileCategoryByBytes\":\"Executable\",\"fileCategoryByExtension\":\"Executable\",\"fileSize\":45952,\"fileOwner\":\"SYSTEM\",\"md5Checksum\":\"523c15d2368a36583c90119fd9f52fe7\",\"sha256Checksum\":\"6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0\",\"createTimestamp\":\"2021-05-13T09:36:01.168Z\",\"modifyTimestamp\":\"2021-05-13T09:36:06.230Z\",\"deviceUserName\":\"darnell.waters@c42se.com\",\"osHostName\":\"DARNELLW-OFFICI\",\"domainName\":\"DARNELLW-OFFICIAL-WIN10.qa.code42.com\",\"publicIpAddress\":\"162.222.47.183\",\"privateIpAddresses\":[\"fe80:0:0:0:1d77:dcdf:c593:1143%eth4\",\"172.20.65.55\",\"0:0:0:0:0:0:0:1\",\"127.0.0.1\"],\"deviceUid\":\"1017088719733184290\",\"userUid\":\"902428473202283166\",\"actor\":null,\"directoryId\":[],\"source\":\"Endpoint\",\"url\":null,\"shared\":null,\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":null,\"detectionSourceAlias\":null,\"fileId\":null,\"exposure\":[],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-msdownload; format\\=pe32\",\"mimeTypeByExtension\":\"application/x-msdownload\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":\"TRUE\",\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":\"darnell.waters\",\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T22:48:22Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "162.222.47.183", "observables": [{"value": "162.222.47.183", "type": "ip"}], "obs": "ip:162.222.47.183", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_9_61477_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_9_61477_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-cb6020cb-fa6b-58ab-9a08-8c624a73ee5b", "observed_start_time": "2021-09-16T22:48:22Z", "count": 1, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-09-16T22:48:22.288Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "src_host", "type": "string"}, {"name": "domain", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "os_user", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "remote_activity", "type": "string"}, {"name": "file_path", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Executable", "Endpoint", "System.Threading.Channels.dll", "DARNELLW-OFFICI", "DARNELLW-OFFICIAL-WIN10.qa.code42.com", "2021-05-13T09:36:06.230Z", "application/x-msdownload", "DELETED", "162.222.47.183", "darnell.waters", "6ab3f578f0cc4a44e9cc89612c16367ccf621b8cfd0069d27df216a08b09b9b0", "2021-09-16T22:52:32.766Z", 45952, "code42-exfil-share-datatype", "523c15d2368a36583c90119fd9f52fe7", 57848, "false", "TRUE", "C:/Program Files/WindowsApps/Microsoft.YourPhone_1.21084.59.0_x64__8wekyb3d8bbwe/YourPhoneServer/", "Executable", "SYSTEM", "FILE", "902428473202283166", "2021-09-16T22:48:22.288Z", "darnell.waters@c42se.com", "darnell.waters@c42se.com", "2021-05-13T09:36:01.168Z"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable_id": "f5f1e5c6", "module_type_id": "873cd460-1d10-4695-a1ce-bc955e8cca74", "observable": {"type": "ip", "value": "162.222.47.183"}, "type": "warning", "action_id": "84f9c555-287e-4ed0-9caf-8ff5f23a21dc", "code": "too-many-messages-warning", "module_name": "Exabeam", "module_instance_id": "942af880-b962-4a4a-9aa6-4d5ec500e84a", "message": "There are more messages in Exabeam for 162.222.47.183 than can be displayed in Threat Response. Login to the Exabeam console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "ip", "value": "162.222.47.183", "id": "f5f1e5c6"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-e15f8317-1d85-47bc-a66d-f29278645b09", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T08:32:32.184Z", "nodePositions": {"f5f1e5c6": {"y": 6.593275760293544e-09, "category": "ip", "isAsset": false, "index": 0, "modules": ["Exabeam"], "5:ip": true, "value": "162.222.47.183", "type": "ip", "state": "ok", "disposition": 5, "disposition_name": "Unknown", "vx": 0, "vy": 0, "id": "f5f1e5c6", "investigated": true, "x": 0.04662150000336455}}, "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
diff --git a/Exabeam/Snapshot-with-md5.json b/Exabeam/Snapshot-with-md5.json
index a209e6d2..895de325 100644
--- a/Exabeam/Snapshot-with-md5.json
+++ b/Exabeam/Snapshot-with-md5.json
@@ -1 +1 @@
-{"schema_version": "1.1.3", "type": "investigation", "search-txt": "md5:\"dcc92f74841f4934189d4ce787c42eb7\"", "actions": "[{\"arg\":\"dcc92f74841f4934189d4ce787c42eb7\",\"created\":\"2021-09-17T08:43:44.939Z\",\"id\":\"collect-63044a1a\",\"result\":[{\"value\":\"dcc92f74841f4934189d4ce787c42eb7\",\"type\":\"md5\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:43:45.136Z\",\"uuid\":\"3c9c9a07-ade0-4ae6-b87f-6c30410a5b20\"},{\"arg\":{\"type\":\"md5\",\"value\":\"dcc92f74841f4934189d4ce787c42eb7\"},\"created\":\"2021-09-17T08:43:45.153Z\",\"id\":\"investigate-d6d640a5\",\"result\":{\"data\":[{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":2,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"dcc92f74841f4934189d4ce787c42eb7\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-591b588d-c454-50fa-83ab-b762a98e54a9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.158Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"dcc92f74841f4934189d4ce787c42eb7\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b2d31148-93ae-5348-bfde-39bb87f089ed\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.159Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:43:47.119Z\",\"uuid\":\"70715e8d-515a-4e2b-8601-8e750df287cb\"}]", "short_description": "Exabeam_md5", "omittedObservables": [], "archivedObservables": [{"key": "65596124-0320-44aa-bbfa-7870b3f4a60e", "value": "dcc92f74841f4934189d4ce787c42eb7", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "dcc92f74841f4934189d4ce787c42eb7", "id": "669049df", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2d31148-93ae-5348-bfde-39bb87f089ed", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "471b3a45-550e-46aa-9bb8-b0eea376af9e", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591b588d-c454-50fa-83ab-b762a98e54a9", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "fdee7f54-7948-4467-9f25-7e2ff41c66cc", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "9302e3eb-701c-424e-9acd-201ed2b5f6aa", "observable": {"key": "65596124-0320-44aa-bbfa-7870b3f4a60e", "value": "dcc92f74841f4934189d4ce787c42eb7", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "dcc92f74841f4934189d4ce787c42eb7", "id": "669049df", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2d31148-93ae-5348-bfde-39bb87f089ed", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "471b3a45-550e-46aa-9bb8-b0eea376af9e", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591b588d-c454-50fa-83ab-b762a98e54a9", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "fdee7f54-7948-4467-9f25-7e2ff41c66cc", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}, "notifications": null, "disposition_name": "Unknown", "disposition": 5, "type": "md5", "value": "dcc92f74841f4934189d4ce787c42eb7", "id": "669049df"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-dd8c46b0-7f35-4ff5-b4b3-b40d786c9ed1", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T08:44:37.801Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
+{"schema_version": "1.1.3", "type": "investigation", "search-txt": "md5:\"dcc92f74841f4934189d4ce787c42eb7\"", "actions": "[{\"arg\":\"dcc92f74841f4934189d4ce787c42eb7\",\"created\":\"2021-09-17T08:43:44.939Z\",\"id\":\"collect-63044a1a\",\"result\":[{\"value\":\"dcc92f74841f4934189d4ce787c42eb7\",\"type\":\"md5\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:43:45.136Z\",\"uuid\":\"3c9c9a07-ade0-4ae6-b87f-6c30410a5b20\"},{\"arg\":{\"type\":\"md5\",\"value\":\"dcc92f74841f4934189d4ce787c42eb7\"},\"created\":\"2021-09-17T08:43:45.153Z\",\"id\":\"investigate-d6d640a5\",\"result\":{\"data\":[{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":2,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"dcc92f74841f4934189d4ce787c42eb7\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-591b588d-c454-50fa-83ab-b762a98e54a9\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.158Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"dcc92f74841f4934189d4ce787c42eb7\",\"type\":\"md5\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-b2d31148-93ae-5348-bfde-39bb87f089ed\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.159Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:43:47.119Z\",\"uuid\":\"70715e8d-515a-4e2b-8601-8e750df287cb\"}]", "short_description": "Exabeam_md5", "omittedObservables": [], "archivedObservables": [{"key": "65596124-0320-44aa-bbfa-7870b3f4a60e", "value": "dcc92f74841f4934189d4ce787c42eb7", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "dcc92f74841f4934189d4ce787c42eb7", "id": "669049df", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2d31148-93ae-5348-bfde-39bb87f089ed", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "471b3a45-550e-46aa-9bb8-b0eea376af9e", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591b588d-c454-50fa-83ab-b762a98e54a9", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "fdee7f54-7948-4467-9f25-7e2ff41c66cc", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "9302e3eb-701c-424e-9acd-201ed2b5f6aa", "observable": {"key": "65596124-0320-44aa-bbfa-7870b3f4a60e", "value": "dcc92f74841f4934189d4ce787c42eb7", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "dcc92f74841f4934189d4ce787c42eb7", "id": "669049df", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-b2d31148-93ae-5348-bfde-39bb87f089ed", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "471b3a45-550e-46aa-9bb8-b0eea376af9e", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "dcc92f74841f4934189d4ce787c42eb7", "observables": [{"value": "dcc92f74841f4934189d4ce787c42eb7", "type": "md5"}], "obs": "md5:dcc92f74841f4934189d4ce787c42eb7", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-591b588d-c454-50fa-83ab-b762a98e54a9", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "md5", "ctr_uuid": "fdee7f54-7948-4467-9f25-7e2ff41c66cc", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}, "notifications": null, "disposition_name": "Unknown", "disposition": 5, "type": "md5", "value": "dcc92f74841f4934189d4ce787c42eb7", "id": "669049df"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-dd8c46b0-7f35-4ff5-b4b3-b40d786c9ed1", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T08:44:37.801Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
diff --git a/Exabeam/Snapshot-with-sha256.json b/Exabeam/Snapshot-with-sha256.json
index f577883e..141fbfd8 100644
--- a/Exabeam/Snapshot-with-sha256.json
+++ b/Exabeam/Snapshot-with-sha256.json
@@ -1 +1 @@
-{"schema_version": "1.1.3", "type": "investigation", "search-txt": "sha256:\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\"", "actions": "[{\"arg\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"created\":\"2021-09-17T08:47:08.750Z\",\"id\":\"collect-cc221134\",\"result\":[{\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"type\":\"sha256\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:47:08.971Z\",\"uuid\":\"b84603b2-892c-4ae0-a44b-a79138eb8842\"},{\"arg\":{\"type\":\"sha256\",\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\"},\"created\":\"2021-09-17T08:47:08.990Z\",\"id\":\"investigate-408120d7\",\"result\":{\"data\":[{\"module\":\"AMP File Reputation\",\"module_instance_id\":\"ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3\",\"module_type_id\":\"1898d0e8-45f7-550d-8ab5-915f064426dd\",\"data\":{\"verdicts\":{\"count\":0,\"docs\":[]},\"judgements\":{\"count\":0,\"docs\":[]}}},{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":2,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a8fb6af2-3415-50d1-a2eb-30a734ab2c28\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.158Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-badbe2ca-fd17-5ba0-8398-97ef745eff2e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-12T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.159Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:47:10.782Z\",\"uuid\":\"139a9999-7749-4987-84d4-66626d5e21a7\"}]", "short_description": "Exabeam_sha256", "omittedObservables": [], "archivedObservables": [{"key": "b81d9eb5-4101-4058-8190-25b13ddbab13", "value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "indicators": [], "type": "sha256", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "id": "600d3ae4", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-badbe2ca-fd17-5ba0-8398-97ef745eff2e", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "bda1f4da-f890-4293-b3dc-9bc53a875347", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8fb6af2-3415-50d1-a2eb-30a734ab2c28", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "935e9fe1-f378-4afb-b10f-891b90f388b8", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "a2a15ec7-ff91-4775-8ca1-f2a88f5112de", "observable": {"key": "b81d9eb5-4101-4058-8190-25b13ddbab13", "value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "indicators": [], "type": "sha256", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "id": "600d3ae4", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-badbe2ca-fd17-5ba0-8398-97ef745eff2e", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "bda1f4da-f890-4293-b3dc-9bc53a875347", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8fb6af2-3415-50d1-a2eb-30a734ab2c28", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "935e9fe1-f378-4afb-b10f-891b90f388b8", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}, "notifications": null, "disposition_name": "Unknown", "disposition": 5, "type": "sha256", "value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "id": "600d3ae4"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-6a5b0013-c69e-411a-a95c-8cb5658392c8", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T09:42:17.092Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file
+{"schema_version": "1.1.3", "type": "investigation", "search-txt": "sha256:\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\"", "actions": "[{\"arg\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"created\":\"2021-09-17T08:47:08.750Z\",\"id\":\"collect-cc221134\",\"result\":[{\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"type\":\"sha256\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-09-17T08:47:08.971Z\",\"uuid\":\"b84603b2-892c-4ae0-a44b-a79138eb8842\"},{\"arg\":{\"type\":\"sha256\",\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\"},\"created\":\"2021-09-17T08:47:08.990Z\",\"id\":\"investigate-408120d7\",\"result\":{\"data\":[{\"module\":\"AMP File Reputation\",\"module_instance_id\":\"ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3\",\"module_type_id\":\"1898d0e8-45f7-550d-8ab5-915f064426dd\",\"data\":{\"verdicts\":{\"count\":0,\"docs\":[]},\"judgements\":{\"count\":0,\"docs\":[]}}},{\"module\":\"Exabeam\",\"module_instance_id\":\"942af880-b962-4a4a-9aa6-4d5ec500e84a\",\"module_type_id\":\"873cd460-1d10-4695-a1ce-bc955e8cca74\",\"data\":{\"sightings\":{\"count\":2,\"docs\":[{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_17_61483_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-a8fb6af2-3415-50d1-a2eb-30a734ab2c28\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.158Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}},{\"description\":\"```\\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\\\"eventId\\\":\\\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\\\",\\\"eventType\\\":\\\"MODIFIED\\\",\\\"eventTimestamp\\\":\\\"2021-09-16T23:36:55.422Z\\\",\\\"insertionTimestamp\\\":\\\"2021-09-16T23:36:58.256432Z\\\",\\\"fieldErrors\\\":[],\\\"filePath\\\":null,\\\"fileName\\\":\\\"Quote 0782.docx\\\",\\\"fileType\\\":\\\"FILE\\\",\\\"fileCategory\\\":\\\"Document\\\",\\\"fileCategoryByBytes\\\":\\\"Uncategorized\\\",\\\"fileCategoryByExtension\\\":\\\"Document\\\",\\\"fileSize\\\":603648,\\\"fileOwner\\\":\\\"kathy.kane@c42se.com\\\",\\\"md5Checksum\\\":\\\"dcc92f74841f4934189d4ce787c42eb7\\\",\\\"sha256Checksum\\\":\\\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\\\",\\\"createTimestamp\\\":\\\"2020-05-21T09:16:51Z\\\",\\\"modifyTimestamp\\\":\\\"2021-09-15T09:19:07Z\\\",\\\"deviceUserName\\\":\\\"kathy.kane@c42se.com\\\",\\\"osHostName\\\":null,\\\"domainName\\\":null,\\\"publicIpAddress\\\":null,\\\"privateIpAddresses\\\":[],\\\"deviceUid\\\":null,\\\"userUid\\\":\\\"886897886179661430\\\",\\\"actor\\\":\\\"kathy.kane@c42se.com\\\",\\\"directoryId\\\":[\\\"112744931547\\\"],\\\"source\\\":\\\"Box\\\",\\\"url\\\":\\\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\\\",\\\"shared\\\":\\\"TRUE\\\",\\\"sharedWith\\\":[],\\\"sharingTypeAdded\\\":[],\\\"cloudDriveId\\\":\\\"9981852168\\\",\\\"detectionSourceAlias\\\":\\\"C42 SE Box\\\",\\\"fileId\\\":\\\"667871650834\\\",\\\"exposure\\\":[\\\"SharedViaLink\\\"],\\\"processOwner\\\":null,\\\"processName\\\":null,\\\"windowTitle\\\":[],\\\"tabUrl\\\":null,\\\"tabs\\\":[],\\\"sourceTabs\\\":[],\\\"fileClassifications\\\":[],\\\"removableMediaVendor\\\":null,\\\"removableMediaName\\\":null,\\\"removableMediaSerialNumber\\\":null,\\\"removableMediaCapacity\\\":null,\\\"removableMediaBusType\\\":null,\\\"removableMediaMediaName\\\":null,\\\"removableMediaVolumeName\\\":[],\\\"removableMediaPartitionId\\\":[],\\\"syncDestination\\\":null,\\\"syncDestinationUsername\\\":[],\\\"emailDlpPolicyNames\\\":null,\\\"emailSubject\\\":null,\\\"emailSender\\\":null,\\\"emailFrom\\\":null,\\\"emailRecipients\\\":null,\\\"outsideActiveHours\\\":false,\\\"mimeTypeByBytes\\\":\\\"application/x-tika-ooxml\\\",\\\"mimeTypeByExtension\\\":\\\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\\\",\\\"mimeTypeMismatch\\\":false,\\\"printJobName\\\":null,\\\"printerName\\\":null,\\\"printedFilesBackupPath\\\":null,\\\"remoteActivity\\\":null,\\\"trusted\\\":false,\\\"trustReason\\\":null,\\\"operatingSystemUser\\\":null,\\\"destinationCategory\\\":null,\\\"destinationName\\\":null,\\\"sourceCategory\\\":null,\\\"sourceName\\\":null,\\\"riskScore\\\":0,\\\"riskSeverity\\\":\\\"NO_RISK_INDICATED\\\",\\\"riskIndicators\\\":[]} \\n```\",\"schema_version\":\"1.1.7\",\"observables\":[{\"value\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"type\":\"sha256\"}],\"type\":\"sighting\",\"source\":\"Exabeam\",\"external_ids\":[\"lms.kafka.topic_18_61482_bb3b8a648af1\"],\"short_description\":\"Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable\",\"title\":\"Log message received by Exabeam in last 30 days contains observable\",\"internal\":true,\"source_uri\":\"https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))\",\"id\":\"transient:sighting-badbe2ca-fd17-5ba0-8398-97ef745eff2e\",\"count\":1,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2024-09-19T23:36:55.422Z\"},\"data\":{\"columns\":[{\"name\":\"forwarder\",\"type\":\"string\"},{\"name\":\"file_ext\",\"type\":\"string\"},{\"name\":\"source\",\"type\":\"string\"},{\"name\":\"file_name\",\"type\":\"string\"},{\"name\":\"alert_name\",\"type\":\"string\"},{\"name\":\"alert_type\",\"type\":\"string\"},{\"name\":\"modify_time\",\"type\":\"string\"},{\"name\":\"mime\",\"type\":\"string\"},{\"name\":\"activity_type\",\"type\":\"string\"},{\"name\":\"accesses\",\"type\":\"string\"},{\"name\":\"sha256\",\"type\":\"string\"},{\"name\":\"indexTime\",\"type\":\"string\"},{\"name\":\"bytes\",\"type\":\"string\"},{\"name\":\"data_type\",\"type\":\"string\"},{\"name\":\"md5\",\"type\":\"string\"},{\"name\":\"port\",\"type\":\"string\"},{\"name\":\"trusted\",\"type\":\"string\"},{\"name\":\"file_category\",\"type\":\"string\"},{\"name\":\"target\",\"type\":\"string\"},{\"name\":\"file_owner\",\"type\":\"string\"},{\"name\":\"file_type\",\"type\":\"string\"},{\"name\":\"user_uid\",\"type\":\"string\"},{\"name\":\"time\",\"type\":\"string\"},{\"name\":\"email_user\",\"type\":\"string\"},{\"name\":\"user\",\"type\":\"string\"},{\"name\":\"create_time\",\"type\":\"string\"}],\"rows\":[[\"gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal\",\"Document\",\"Box\",\"Quote 0782.docx\",\"SharedViaLink\",\"SharedViaLink\",\"2021-09-15T09:19:07Z\",\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"SharedViaLink\",\"MODIFIED\",\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"2021-09-16T23:38:30.159Z\",603648,\"code42-exfil-share-datatype\",\"dcc92f74841f4934189d4ce787c42eb7\",57848,\"false\",\"Document\",\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"kathy.kane@c42se.com\",\"FILE\",\"886897886179661430\",\"2021-09-16T23:36:55.422Z\",\"kathy.kane@c42se.com\",\"kathy.kane@c42se.com\",\"2020-05-21T09:16:51Z\"]]}}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-09-17T08:47:10.782Z\",\"uuid\":\"139a9999-7749-4987-84d4-66626d5e21a7\"}]", "short_description": "Exabeam_sha256", "omittedObservables": [], "archivedObservables": [{"key": "b81d9eb5-4101-4058-8190-25b13ddbab13", "value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "indicators": [], "type": "sha256", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "id": "600d3ae4", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-badbe2ca-fd17-5ba0-8398-97ef745eff2e", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "bda1f4da-f890-4293-b3dc-9bc53a875347", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8fb6af2-3415-50d1-a2eb-30a734ab2c28", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "935e9fe1-f378-4afb-b10f-891b90f388b8", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "a2a15ec7-ff91-4775-8ca1-f2a88f5112de", "observable": {"key": "b81d9eb5-4101-4058-8190-25b13ddbab13", "value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "indicators": [], "type": "sha256", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": null, "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "id": "600d3ae4", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 5553597029279483527 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_18_61482_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_18_61482_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-badbe2ca-fd17-5ba0-8398-97ef745eff2e", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "bda1f4da-f890-4293-b3dc-9bc53a875347", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.159Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}, {"suspicious": 0, "description": "```\n<110>1 2021-09-16T23:36:55.422Z 804e3b095828 Skyformation - 2162936097626041308 - CEF:0|Skyformation|SkyFormation Cloud Apps Security|2.0.0|sk4-audit-event|audit-event|0|cat=audit cs6Label=raw-event destinationServiceName=Code42 deviceInboundInterface=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 dproc=file events dtz=default-tenant end=1631835415422 flexString1=MODIFIED flexString1Label=application-action requestClientApplication=Code42 - DEMO suid=username suser=kathy.kane@c42se.com ext_fileCategoryByExtension=Document ext_riskIndicators=[] ext_sharingTypeAdded=[] ext_fileCategory=Document ext_eventTimestamp=2021-09-16T23:36:55.422Z ext_fileClassifications=[] ext_userUid=886897886179661430 ext_riskScore=0 ext_fileName=Quote 0782.docx ext_eventId=667871650834_3faff36c-4b24-4d65-804a-baba4a66a090 ext_fileId=667871650834 ext_syncDestinationUsername=[] ext_sourceTabs=[] ext_mimeTypeByExtension=application/vnd.openxmlformats-officedocument.wordprocessingml.document ext_fileType=FILE ext_riskSeverity=NO_RISK_INDICATED ext_modifyTimestamp=2021-09-15T09:19:07Z ext_md5Checksum=dcc92f74841f4934189d4ce787c42eb7 ext_sharedWith=[] ext_sha256Checksum=e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b ext_privateIpAddresses=[] ext_fileCategoryByBytes=Uncategorized ext_actor=kathy.kane@c42se.com ext_cloudDriveId=9981852168 ext_deviceUserName=kathy.kane@c42se.com ext_removableMediaVolumeName=[] ext_fieldErrors=[] ext_exposure_0_=SharedViaLink ext_trusted=false ext_detectionSourceAlias=C42 SE Box ext_outsideActiveHours=false ext_fileSize=603648 ext_insertionTimestamp=2021-09-16T23:36:58.256432Z ext_shared=TRUE ext_directoryId_0_=112744931547 ext_eventType=MODIFIED ext_source=Box ext_createTimestamp=2020-05-21T09:16:51Z ext_mimeTypeMismatch=false ext_mimeTypeByBytes=application/x-tika-ooxml ext_tabs=[] ext_url=https://app.box.com/master/content/9981852168/112744931547/0/667871650834 ext_fileOwner=kathy.kane@c42se.com ext_removableMediaPartitionId=[] ext_windowTitle=[] cs6={\"eventId\":\"667871650834_3faff36c-4b24-4d65-804a-baba4a66a090\",\"eventType\":\"MODIFIED\",\"eventTimestamp\":\"2021-09-16T23:36:55.422Z\",\"insertionTimestamp\":\"2021-09-16T23:36:58.256432Z\",\"fieldErrors\":[],\"filePath\":null,\"fileName\":\"Quote 0782.docx\",\"fileType\":\"FILE\",\"fileCategory\":\"Document\",\"fileCategoryByBytes\":\"Uncategorized\",\"fileCategoryByExtension\":\"Document\",\"fileSize\":603648,\"fileOwner\":\"kathy.kane@c42se.com\",\"md5Checksum\":\"dcc92f74841f4934189d4ce787c42eb7\",\"sha256Checksum\":\"e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b\",\"createTimestamp\":\"2020-05-21T09:16:51Z\",\"modifyTimestamp\":\"2021-09-15T09:19:07Z\",\"deviceUserName\":\"kathy.kane@c42se.com\",\"osHostName\":null,\"domainName\":null,\"publicIpAddress\":null,\"privateIpAddresses\":[],\"deviceUid\":null,\"userUid\":\"886897886179661430\",\"actor\":\"kathy.kane@c42se.com\",\"directoryId\":[\"112744931547\"],\"source\":\"Box\",\"url\":\"https://app.box.com/master/content/9981852168/112744931547/0/667871650834\",\"shared\":\"TRUE\",\"sharedWith\":[],\"sharingTypeAdded\":[],\"cloudDriveId\":\"9981852168\",\"detectionSourceAlias\":\"C42 SE Box\",\"fileId\":\"667871650834\",\"exposure\":[\"SharedViaLink\"],\"processOwner\":null,\"processName\":null,\"windowTitle\":[],\"tabUrl\":null,\"tabs\":[],\"sourceTabs\":[],\"fileClassifications\":[],\"removableMediaVendor\":null,\"removableMediaName\":null,\"removableMediaSerialNumber\":null,\"removableMediaCapacity\":null,\"removableMediaBusType\":null,\"removableMediaMediaName\":null,\"removableMediaVolumeName\":[],\"removableMediaPartitionId\":[],\"syncDestination\":null,\"syncDestinationUsername\":[],\"emailDlpPolicyNames\":null,\"emailSubject\":null,\"emailSender\":null,\"emailFrom\":null,\"emailRecipients\":null,\"outsideActiveHours\":false,\"mimeTypeByBytes\":\"application/x-tika-ooxml\",\"mimeTypeByExtension\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"mimeTypeMismatch\":false,\"printJobName\":null,\"printerName\":null,\"printedFilesBackupPath\":null,\"remoteActivity\":null,\"trusted\":false,\"trustReason\":null,\"operatingSystemUser\":null,\"destinationCategory\":null,\"destinationName\":null,\"sourceCategory\":null,\"sourceName\":null,\"riskScore\":0,\"riskSeverity\":\"NO_RISK_INDICATED\",\"riskIndicators\":[]} \n```", "observed_end_time": "2021-09-16T23:36:55Z", "target_count": 0, "schema_version": "1.1.7", "unknown": 1, "observable_value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "observables": [{"value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sha256"}], "obs": "sha256:e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "type": "sighting", "source": "Exabeam", "external_ids": ["lms.kafka.topic_17_61483_bb3b8a648af1"], "disposition": 5, "short_description": "Exabeam received a log from gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal containing the observable", "malicious": 0, "title": "Log message received by Exabeam in last 30 days contains observable", "module": "Exabeam", "internal": true, "common": 0, "source_uri": "https://tbd2-int-e2e.dl.exabeam.com/data/app/dataui#/discover?_g=(time:(from:now-30d))&_a=(interval:(text:Auto,val:auto),query:(query_string:(default_field:message,query:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22')),queryString:'_id:%22lms.kafka.topic_17_61483_bb3b8a648af1%22',searchExecuted:!t,sort:!(indexTime,desc),uiState:(vis:(colors:(Count:%23139df2))))", "disposition_name": "Unknown", "id": "transient:sighting-a8fb6af2-3415-50d1-a2eb-30a734ab2c28", "observed_start_time": "2021-09-16T23:36:55Z", "count": 1, "observable_type": "sha256", "ctr_uuid": "935e9fe1-f378-4afb-b10f-891b90f388b8", "confidence": "High", "observed_time": {"start_time": "2021-09-16T23:36:55.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "forwarder", "type": "string"}, {"name": "file_ext", "type": "string"}, {"name": "source", "type": "string"}, {"name": "file_name", "type": "string"}, {"name": "alert_name", "type": "string"}, {"name": "alert_type", "type": "string"}, {"name": "modify_time", "type": "string"}, {"name": "mime", "type": "string"}, {"name": "activity_type", "type": "string"}, {"name": "accesses", "type": "string"}, {"name": "sha256", "type": "string"}, {"name": "indexTime", "type": "string"}, {"name": "bytes", "type": "string"}, {"name": "data_type", "type": "string"}, {"name": "md5", "type": "string"}, {"name": "port", "type": "string"}, {"name": "trusted", "type": "string"}, {"name": "file_category", "type": "string"}, {"name": "target", "type": "string"}, {"name": "file_owner", "type": "string"}, {"name": "file_type", "type": "string"}, {"name": "user_uid", "type": "string"}, {"name": "time", "type": "string"}, {"name": "email_user", "type": "string"}, {"name": "user", "type": "string"}, {"name": "create_time", "type": "string"}], "rows": [["gke-tbd2-int-e2e-standard-7c2a2dba-0b94.c.ops-dist-tbd2-int-e2e.internal", "Document", "Box", "Quote 0782.docx", "SharedViaLink", "SharedViaLink", "2021-09-15T09:19:07Z", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "SharedViaLink", "MODIFIED", "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "2021-09-16T23:38:30.158Z", 603648, "code42-exfil-share-datatype", "dcc92f74841f4934189d4ce787c42eb7", 57848, "false", "Document", "https://app.box.com/master/content/9981852168/112744931547/0/667871650834", "kathy.kane@c42se.com", "FILE", "886897886179661430", "2021-09-16T23:36:55.422Z", "kathy.kane@c42se.com", "kathy.kane@c42se.com", "2020-05-21T09:16:51Z"]]}}], "revListOrder": 4}, "notifications": null, "disposition_name": "Unknown", "disposition": 5, "type": "sha256", "value": "e769bc5d0a4c62e299f54791267986760ad0c41d4aa852d320b01fea1b566c9b", "id": "600d3ae4"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-6a5b0013-c69e-411a-a95c-8cb5658392c8", "tlp": "amber", "groups": ["accb4a61-abc7-4744-a229-f6f230cf2f2e"], "timestamp": "2021-09-17T09:42:17.092Z", "owner": "b356b4a5-1e4b-4ec1-8ac8-6f7bba3d2fee", "source": "Olena Shynkarenko"}
\ No newline at end of file